diff --git a/packages/aws/0.5.4/changelog.yml b/packages/aws/0.5.4/changelog.yml deleted file mode 100755 index 4e7fb118c2..0000000000 --- a/packages/aws/0.5.4/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "0.5.4" - changes: - - description: Rename s3 input to aws-s3. - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/631 -- version: "0.5.3" - changes: - - description: Add missing "geo" fields - type: enhancement - link: https://github.com/elastic/integrations/pull/919 -- version: "0.5.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/834 -- version: "0.5.1" - changes: - - description: Ignore missing "json" field in ingest pipeline - type: bugfix - link: https://github.com/elastic/integrations/pull/791 -- version: "0.5.0" - changes: - - description: Moving edge processors to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/782 -- version: "0.4.2" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 -- version: "0.4.1" - changes: - - description: Correct sample event file. - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/754 -- version: "0.4.0" - changes: - - description: Add changes to use ECS 1.8 fields. - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/721 -- version: "0.0.3" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/aws/0.5.4/data_stream/billing/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/billing/agent/stream/stream.yml.hbs deleted file mode 100755 index caae1156d6..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,35 +0,0 @@ -metricsets: ["billing"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if lantency}} -latency: {{latency}} -{{/if}} -{{#if cost_explorer_config.group_by_dimension_keys}} -cost_explorer_config.group_by_dimension_keys: -{{#each cost_explorer_config.group_by_dimension_keys as |dimension_key i|}} -- {{dimension_key}} -{{/each}} -{{/if}} -{{#if cost_explorer_config.group_by_tag_keys}} -cost_explorer_config.group_by_tag_keys: -{{#each cost_explorer_config.group_by_tag_keys as |tag_key i|}} -- {{tag_key}} -{{/each}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/billing/fields/agent.yml b/packages/aws/0.5.4/data_stream/billing/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/billing/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/billing/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/billing/fields/ecs.yml b/packages/aws/0.5.4/data_stream/billing/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/billing/fields/fields.yml b/packages/aws/0.5.4/data_stream/billing/fields/fields.yml deleted file mode 100755 index 5b3ee582a6..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/fields/fields.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: aws - type: group - fields: - - name: billing - type: group - fields: - - name: EstimatedCharges.max - type: long - description: Maximum estimated charges for AWS acccount. - - name: Currency - type: keyword - description: Currency name. - - name: ServiceName - type: keyword - description: AWS service name. - - name: AmortizedCost - type: group - fields: - - name: amount - type: double - description: Amortized cost amount. - - name: unit - type: keyword - description: Amortized cost unit. - - name: BlendedCost - type: group - fields: - - name: amount - type: double - description: Blended cost amount. - - name: unit - type: keyword - description: Blended cost unit. - - name: NormalizedUsageAmount - type: group - fields: - - name: amount - type: double - description: Normalized usage amount. - - name: unit - type: keyword - description: Normalized usage amount unit. - - name: UnblendedCost - type: group - fields: - - name: amount - type: double - description: Unblended cost amount. - - name: unit - type: keyword - description: Unblended cost unit. - - name: UsageQuantity - type: group - fields: - - name: amount - type: double - description: Usage quantity amount. - - name: unit - type: keyword - description: Usage quantity unit. - - name: start_date - type: keyword - description: Start date for retrieving AWS costs. - - name: end_date - type: keyword - description: End date for retrieving AWS costs. - - name: group_definition - type: group - fields: - - name: key - type: keyword - description: The string that represents a key for a specified group. - - name: type - type: keyword - description: The string that represents the type of group. - - name: group_by - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Cost explorer group by key values. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/billing/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/billing/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/billing/manifest.yml b/packages/aws/0.5.4/data_stream/billing/manifest.yml deleted file mode 100755 index e42030e46c..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: AWS billing metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 12h - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: cost_explorer_config.group_by_dimension_keys - type: text - title: Cost Explorer Group By Dimension Keys - multi: true - required: false - show_user: true - default: - - "AZ" - - "INSTANCE_TYPE" - - "SERVICE" - - name: cost_explorer_config.group_by_tag_keys - type: text - title: Cost Explorer Group By Tag Keys - multi: true - required: false - show_user: true - default: - - "aws:createdBy" - title: AWS Billing metrics - description: Collect AWS billing metrics diff --git a/packages/aws/0.5.4/data_stream/billing/sample_event.json b/packages/aws/0.5.4/data_stream/billing/sample_event.json deleted file mode 100755 index 0a252492f0..0000000000 --- a/packages/aws/0.5.4/data_stream/billing/sample_event.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:17:06.212Z", - "cloud": { - "provider": "aws", - "region": "us-east-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "event": { - "dataset": "aws.billing", - "module": "aws", - "duration": 1938760247 - }, - "metricset": { - "name": "billing", - "period": 43200000 - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "billing": { - "metrics": { - "EstimatedCharges": { - "max": 1625.41 - } - } - }, - "cloudwatch": { - "namespace": "AWS/Billing" - }, - "dimensions": { - "Currency": "USD" - } - }, - "service": { - "type": "aws" - }, - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index b9d59dd2c2..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -queue_url: {{queue_url}} -expand_event_list_from_field: Records -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs b/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 75fcfcba42..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,70 +0,0 @@ -config_version: 2 -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - target_field: "@metadata._id" - - drop_fields: - fields: ["message"] - - rename: - fields: - - from: json.result._raw - to: message - - drop_fields: - fields: ["json"] - ignore_missing: true - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7f9c8d8069..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,740 +0,0 @@ ---- -description: Pipeline for AWS CloudTrail Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - rename: - field: "message" - target_field: "event.original" - - json: - field: "event.original" - target_field: "json" - - date: - field: "json.eventTime" - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.created - value: '{{@timestamp}}' - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - rename: - field: "json.eventVersion" - target_field: "aws.cloudtrail.event_version" - ignore_failure: true - - rename: - field: "json.userIdentity.type" - target_field: "aws.cloudtrail.user_identity.type" - ignore_failure: true - - append: - field: related.user - value: '{{json.userIdentity.userName}}' - allow_duplicates: false - if: 'ctx.json?.userIdentity?.userName != null' - - rename: - field: "json.userIdentity.userName" - target_field: "user.name" - ignore_failure: true - - rename: - field: "json.userIdentity.principalId" - target_field: "user.id" - ignore_failure: true - - rename: - field: "json.userIdentity.arn" - target_field: "aws.cloudtrail.user_identity.arn" - ignore_failure: true - - rename: - field: "json.userIdentity.accountId" - target_field: "cloud.account.id" - ignore_failure: true - - rename: - field: "json.userIdentity.accessKeyId" - target_field: "aws.cloudtrail.user_identity.access_key_id" - ignore_failure: true - - rename: - field: "json.userIdentity.sessionContext.attributes.mfaAuthenticated" - target_field: "aws.cloudtrail.user_identity.session_context.mfa_authenticated" - ignore_failure: true - - date: - field: "json.userIdentity.sessionContext.attributes.creationDate" - target_field: "aws.cloudtrail.user_identity.session_context.creation_date" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: "json.userIdentity.sessionContext.sessionIssuer.type" - target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.type" - ignore_failure: true - # userIdentity.sessionIssuer.userName is only set with assumed roles. - - rename: - field: "json.userIdentity.sessionContext.sessionIssuer.userName" - target_field: "user.name" - ignore_failure: true - - rename: - field: "json.userIdentity.sessionContext.sessionIssuer.principalId" - target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.principal_id" - ignore_failure: true - - rename: - field: "json.userIdentity.sessionContext.sessionIssuer.arn" - target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.arn" - ignore_failure: true - - rename: - field: "json.userIdentity.sessionContext.sessionIssuer.accountId" - target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.account_id" - ignore_failure: true - - rename: - field: "json.userIdentity.invokedBy" - target_field: "aws.cloudtrail.user_identity.invoked_by" - ignore_failure: true - - rename: - field: "json.eventSource" - target_field: "event.provider" - ignore_failure: true - - set: - field: "event.action" - value: "{{json.eventName}}" - ignore_failure: true - ignore_empty_value: true - - rename: - field: "json.eventCategory" - target_field: "aws.cloudtrail.event_category" - ignore_failure: true - - rename: - field: "json.awsRegion" - target_field: "cloud.region" - ignore_failure: true - - rename: - field: "json.sourceIPAddress" - target_field: "source.address" - ignore_failure: true - - grok: - field: source.address - ignore_failure: true - patterns: - - ^%{IP:source.ip}$ - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_failure: true - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - user_agent: - field: "json.userAgent" - target_field: "user_agent" - on_failure: - - rename: - field: "json.userAgent" - target_field: "user_agent.original" - ignore_failure: true - - rename: - field: "json.errorCode" - target_field: "aws.cloudtrail.error_code" - ignore_failure: true - - rename: - field: "json.errorMessage" - target_field: "aws.cloudtrail.error_message" - ignore_failure: true - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail?.flattened == null) { - Map map = new HashMap(); - ctx.aws.cloudtrail.put("flattened", map); - } - if (ctx.json?.requestParameters != null) { - ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); - if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { - ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); - } - } - if (ctx.json?.responseElements != null) { - ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); - if (ctx.aws.cloudtrail.response_elements.length() < 32766) { - ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); - } - } - if (ctx.json?.additionalEventData != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); - if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { - ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); - } - } - if (ctx.json?.serviceEventDetails != null) { - ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); - if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { - ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); - } - } - ignore_failure: true - - rename: - field: "json.requestId" - target_field: "aws.cloudtrail.request_id" - ignore_failure: true - - rename: - field: "json.eventID" - target_field: event.id - ignore_failure: true - - rename: - field: "json.eventType" - target_field: "aws.cloudtrail.event_type" - ignore_failure: true - - rename: - field: "json.apiVersion" - target_field: "aws.cloudtrail.api_version" - ignore_failure: true - - rename: - field: "json.managementEvent" - target_field: "aws.cloudtrail.management_event" - ignore_failure: true - - rename: - field: "json.readOnly" - target_field: "aws.cloudtrail.read_only" - ignore_failure: true - - rename: - field: "json.resources.ARN" - target_field: "aws.cloudtrail.resources.arn" - ignore_failure: true - - rename: - field: "json.resources.accountId" - target_field: "aws.cloudtrail.resources.account_id" - ignore_failure: true - - rename: - field: "json.resources.type" - target_field: "aws.cloudtrail.resources.type" - ignore_failure: true - - rename: - field: "json.recipientAccountId" - target_field: "aws.cloudtrail.recipient_account_id" - ignore_failure: true - - rename: - field: "json.sharedEventId" - target_field: "aws.cloudtrail.shared_event_id" - ignore_failure: true - - rename: - field: "json.vpcEndpointId" - target_field: "aws.cloudtrail.vpc_endpoint_id" - ignore_failure: true - - append: - field: related.user - value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' - allow_duplicates: false - if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.userName != null' - - append: - field: related.user - value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' - allow_duplicates: false - if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null' - - script: - lang: painless - ignore_failure: true - source: >- - if (ctx.json?.eventName != 'ConsoleLogin') { - return; - } - Map aed_map = new HashMap(); - if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MobileVersion != null) { - if (ctx.aws.cloudtrail.flattened.additional_eventdata.MobileVersion == 'No') { - aed_map.put("mobile_version", false); - } else { - aed_map.put("mobile_version", true); - } - } - if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.LoginTo != null) { - aed_map.put("login_to", ctx.aws.cloudtrail.flattened.additional_eventdata.LoginTo); - } - if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MFAUsed != null) { - if (ctx.aws.cloudtrail.flattened.additional_eventdata.MFAUsed == 'No') { - aed_map.put("mfa_used", false); - } else { - aed_map.put("mfa_used", true); - } - } - if (aed_map.size() > 0) { - Map cl_map = new HashMap(); - cl_map.put("additional_eventdata", aed_map); - ctx.aws.cloudtrail.put("console_login", cl_map); - } - - script: - lang: painless - ignore_failure: true - params: - AddUserToGroup: - category: - - iam - type: - - group - - change - AssumeRole: - category: - - authentication - type: - - info - AttachGroupPolicy: - category: - - iam - type: - - group - - change - AttachUserPolicy: - category: - - iam - type: - - user - - change - ChangePassword: - category: - - iam - type: - - user - - change - ConsoleLogin: - category: - - authentication - type: - - info - CreateAccessKey: - category: - - iam - type: - - user - - change - CreateBucket: - category: - - file - type: - - creation - CreateGroup: - category: - - iam - type: - - group - - creation - CreateKeyPair: - category: - - iam - type: - - admin - - creation - CreateUser: - category: - - iam - type: - - user - - creation - CreateVirtualMFADevice: - category: - - iam - type: - - user - - change - DeactivateMFADevice: - category: - - iam - type: - - user - - change - DeleteAccessKey: - category: - - iam - type: - - user - - change - DeleteBucket: - category: - - file - type: - - deletion - DeleteGroup: - category: - - iam - type: - - group - - deletion - DeleteGroupPolicy: - category: - - iam - type: - - group - - change - DeleteSSHPublicKey: - category: - - iam - type: - - user - - change - DeleteUser: - category: - - iam - type: - - user - - deletion - DeleteUserPermissionsBoundary: - category: - - iam - type: - - user - - change - DeleteUserPolicy: - category: - - iam - type: - - user - - change - DeleteVirtualMFADevice: - category: - - iam - type: - - user - - change - DetachGroupPolicy: - category: - - iam - type: - - group - - change - DetachUserPolicy: - category: - - iam - type: - - user - - change - EnableMFADevice: - category: - - iam - type: - - user - - change - GetGroup: - category: - - iam - type: - - group - - info - GetGroupPolicy: - category: - - iam - type: - - group - - info - GetUser: - category: - - iam - type: - - user - - info - GetUserPolicy: - category: - - iam - type: - - user - - info - ListAttachedGroupPolicies: - category: - - iam - type: - - group - - info - ListAttachedUserPolicies: - category: - - iam - type: - - user - - info - ListGroupPolicies: - category: - - iam - type: - - group - - info - ListGroups: - category: - - iam - type: - - group - - info - ListGroupsForUser: - category: - - iam - type: - - user - - info - ListUserPolicies: - category: - - iam - type: - - user - - info - ListUsers: - category: - - iam - type: - - user - - info - ListUserTags: - category: - - iam - type: - - user - - info - PutGroupPolicy: - category: - - iam - type: - - group - - change - PutUserPermissionsBoundary: - category: - - iam - type: - - user - - change - PutUserPolicy: - category: - - iam - type: - - user - - change - RemoveUserFromGroup: - category: - - iam - type: - - group - - change - SetDefaultPolicyVersion: - category: - - iam - type: - - admin - - change - SetSecurityTokenServicePreferences: - category: - - iam - type: - - admin - - change - TagUser: - category: - - iam - type: - - user - - change - UntagUser: - category: - - iam - type: - - user - - change - UpdateAccessKey: - category: - - iam - type: - - user - - change - UpdateAccountPasswordPolicy: - category: - - iam - type: - - admin - - change - UpdateGroup: - category: - - iam - type: - - group - - change - UpdateLoginProfile: - category: - - iam - type: - - user - - change - UpdateRole: - category: - - iam - type: - - admin - - change - UpdateSSHPublicKey: - category: - - iam - type: - - user - - change - UpdateUser: - category: - - iam - type: - - user - - change - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - - if (ctx.aws.cloudtrail.error_code != null || ctx.aws.cloudtrail.error_message != null) { - ctx.event.outcome = 'failure' - } else { - ctx.event.outcome = 'success' - } - - if (ctx?.event?.action == null) { - return; - } - - if (ctx.event.action == 'ConsoleLogin' && ctx?.aws?.cloudtrail?.flattened?.response_elements.ConsoleLogin != null) { - ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin); - } - - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); - - - rename: - field: "json.awsAccountId" - target_field: "cloud.account.id" - ignore_failure: true - - rename: - field: "json.previousDigestS3Object" - target_field: "file.path" - ignore_failure: true - - rename: - field: "json.previousDigestSignature" - target_field: "file.hash.sha256" - if: >- - ctx?.json?.previousDigestHashAlgorithm != null && ctx.json.previousDigestHashAlgorithm == 'SHA-256' - - append: - field: "related.hash" - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - - rename: - field: "json.logFiles" - target_field: "aws.cloudtrail.digest.log_files" - ignore_failure: true - - date: - field: "json.digestStartTime" - target_field: "aws.cloudtrail.digest.start_time" - ignore_failure: true - formats: - - ISO8601 - - date: - field: "json.digestEndTime" - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - date: - field: "json.digestEndTime" - target_field: "aws.cloudtrail.digest.end_time" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: "json.digestS3Bucket" - target_field: "aws.cloudtrail.digest.s3_bucket" - ignore_failure: true - - date: - field: "json.newestEventTime" - target_field: "aws.cloudtrail.digest.newest_event_time" - ignore_failure: true - formats: - - ISO8601 - - date: - field: "json.oldestEventTime" - target_field: "aws.cloudtrail.digest.oldest_event_time" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: "json.previousDigestS3Bucket" - target_field: "aws.cloudtrail.digest.previous_s3_bucket" - ignore_failure: true - - rename: - field: "json.previousDigestHashAlgorithm" - target_field: "aws.cloudtrail.digest.previous_hash_algorithm" - ignore_failure: true - - rename: - field: "json.publicKeyFingerprint" - target_field: "aws.cloudtrail.digest.public_key_fingerprint" - ignore_failure: true - - rename: - field: "json.digestSignatureAlgorithm" - target_field: "aws.cloudtrail.digest.signature_algorithm" - ignore_failure: true - - rename: - field: "json.insightDetails" - target_field: "aws.cloudtrail.insight_details" - ignore_failure: true - - set: - field: group.id - value: '{{aws.cloudtrail.flattened.response_elements.group.groupId}}' - ignore_empty_value: true - ignore_failure: true - - set: - field: user.target.id - value: '{{aws.cloudtrail.flattened.response_elements.user.userId}}' - ignore_empty_value: true - ignore_failure: true - - set: - field: user.changes.name - value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}' - ignore_empty_value: true - ignore_failure: true - - set: - field: group.name - value: '{{aws.cloudtrail.flattened.request_parameters.groupName}}' - ignore_empty_value: true - ignore_failure: true - - set: - field: user.target.name - value: '{{aws.cloudtrail.flattened.request_parameters.userName}}' - ignore_empty_value: true - ignore_failure: true - - rename: - field: aws.cloudtrail.digest - target_field: aws.cloudtrail.flattened.digest - ignore_missing: true - - rename: - field: aws.cloudtrail.insight_details - target_field: aws.cloudtrail.flattened.insight_details - ignore_missing: true - - remove: - field: json - ignore_missing: true -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/fields/agent.yml b/packages/aws/0.5.4/data_stream/cloudtrail/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/cloudtrail/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/fields/ecs.yml b/packages/aws/0.5.4/data_stream/cloudtrail/fields/ecs.yml deleted file mode 100755 index 64093c303d..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/fields/ecs.yml +++ /dev/null @@ -1,155 +0,0 @@ -- name: error.message - type: text - description: Error message. -- name: event.action - type: keyword - description: The action captured by the event. -- name: event.ingested - type: date - description: Timestamp when an event arrived in the central data store. -- name: event.original - type: keyword - description: Raw text message of entire event. Used to demonstrate log integrity. -- name: user.name - type: keyword - description: Short name or login of the user. -- name: user.id - type: keyword - description: Unique identifier of the user. -- name: user.target.name - type: keyword - description: Short name or login of the user. -- name: user.target.id - type: keyword - description: Unique identifier of the user. -- name: user.changes.name - type: keyword - description: Short name or login of the user. -- name: group.id - type: keyword - description: Unique identifier for the group on the system/platform. -- name: group.name - type: keyword - description: Name of the group. -- name: file - title: File - type: group - fields: - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. -- name: cloud.account.id - type: keyword - description: The cloud account or organization id used to identify different entities in a multi-tenant environment. -- name: event.provider - type: keyword - description: Source of the event. -- name: cloud.region - type: keyword - description: Region in which this host is running. -- name: source.address - type: keyword - description: Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. -- name: source.ip - type: ip - description: IP address of the source (IPv4 or IPv6). -- name: user_agent.device.name - type: keyword - description: Name of the device. -- name: user_agent.name - type: keyword - description: Name of the user agent. -- name: user_agent.original - type: keyword - description: Unparsed user_agent string. -- name: user_agent.os.full - type: keyword - description: Operating system name, including the version or code name. -- name: user_agent.os.name - type: keyword - description: Operating system name, without the version. -- name: user_agent.os.version - type: keyword - description: Operating system version as a raw string. -- name: user_agent.version - type: keyword - description: Version of the user agent. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hash - type: keyword - description: All the hashes seen on your event. -- name: event.kind - type: keyword - description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal) -- name: event.type - type: keyword - description: Event severity (e.g. info, error) -- name: source.as.number - type: long - description: >- - Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -- name: source.as.organization.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Organization name. -- name: source.geo.city_name - type: keyword - ignore_above: 1024 - description: City name. -- name: source.geo.continent_name - type: keyword - ignore_above: 1024 - description: Name of the continent. -- name: source.geo.country_iso_code - type: keyword - ignore_above: 1024 - description: Country ISO code. -- name: source.geo.country_name - type: keyword - ignore_above: 1024 - description: Country name. -- name: source.geo.location - type: geo_point - description: Longitude and latitude. -- name: source.geo.region_iso_code - type: keyword - ignore_above: 1024 - description: Region ISO code. -- name: source.geo.region_name - type: keyword - ignore_above: 1024 - description: Region name. -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/fields/fields.yml b/packages/aws/0.5.4/data_stream/cloudtrail/fields/fields.yml deleted file mode 100755 index 5b59153c9b..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/fields/fields.yml +++ /dev/null @@ -1,170 +0,0 @@ -- name: aws.cloudtrail - type: group - fields: - - name: event_version - type: keyword - description: | - The CloudTrail version of the log event format. - - name: event_category - type: keyword - description: | - The CloudTrail event category. - - name: user_identity - type: group - fields: - - name: type - type: keyword - description: | - The type of the identity - - name: arn - type: keyword - description: The Amazon Resource Name (ARN) of the principal that made the call. - - name: access_key_id - type: keyword - description: The access key ID that was used to sign the request. - - name: session_context - type: group - fields: - - name: mfa_authenticated - type: keyword - description: The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. - - name: creation_date - type: date - description: The date and time when the temporary security credentials were issued. - - name: session_issuer - type: group - fields: - - name: type - type: keyword - description: >- - The source of the temporary security credentials, such as Root, IAMUser, or Role. - - name: principal_id - type: keyword - description: >- - The internal ID of the entity that was used to get credentials. - - name: arn - type: keyword - description: >- - The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. - - name: account_id - type: keyword - description: >- - The account that owns the entity that was used to get credentials. - - name: invoked_by - type: keyword - description: The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. - - name: error_code - type: keyword - description: The AWS service error if the request returns an error. - - name: error_message - type: keyword - description: If the request returns an error, the description of the error. - - name: request_parameters - type: keyword - description: The parameters, if any, that were sent with the request. - multi_fields: - - name: text - type: text - default_field: false - - name: response_elements - type: keyword - description: The response element for actions that make changes (create, update, or delete actions). - multi_fields: - - name: text - type: text - default_field: false - - name: additional_eventdata - type: keyword - description: Additional data about the event that was not part of the request or response. - multi_fields: - - name: text - type: text - default_field: false - - name: request_id - type: keyword - description: The value that identifies the request. The service being called generates this value. - - name: event_type - type: keyword - description: Identifies the type of event that generated the event record. - - name: api_version - type: keyword - description: Identifies the API version associated with the AwsApiCall eventType value. - - name: management_event - type: keyword - description: A Boolean value that identifies whether the event is a management event. - - name: read_only - type: boolean - description: Identifies whether this operation is a read-only operation. - - name: resources - type: group - fields: - - name: arn - type: keyword - description: Resource ARNs - - name: account_id - type: keyword - description: Account ID of the resource owner - - name: type - type: keyword - description: 'Resource type identifier in the format: AWS::aws-service-name::data-type-name' - - name: recipient_account_id - type: keyword - description: Represents the account ID that received this event. - - name: service_event_details - type: keyword - description: Identifies the service event, including what triggered the event and the result. - multi_fields: - - name: text - type: text - default_field: false - - name: shared_event_id - type: keyword - description: GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. - - name: vpc_endpoint_id - type: keyword - description: Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. - - name: console_login - type: group - fields: - - name: additional_eventdata - type: group - fields: - - name: mobile_version - type: boolean - description: Identifies whether ConsoleLogin was from mobile version - - name: login_to - type: keyword - description: URL for ConsoleLogin - - name: mfa_used - type: boolean - description: Identifies whether multi factor authentication was used during ConsoleLogin - - name: flattened - type: group - description: >- - ES flattened datatype for objects where the subfields aren't known in advance. - fields: - - name: additional_eventdata - type: flattened - description: > - Additional data about the event that was not part of the request or response. - - - name: request_parameters - type: flattened - description: >- - The parameters, if any, that were sent with the request. - - name: response_elements - type: flattened - description: >- - The response element for actions that make changes (create, update, or delete actions). - - name: service_event_details - type: flattened - description: >- - Identifies the service event, including what triggered the event and the result. - - name: digest - type: flattened - description: >- - Additional digest information. - - name: insight_details - type: flattened - description: >- - Additional insight details. diff --git a/packages/aws/0.5.4/data_stream/cloudtrail/manifest.yml b/packages/aws/0.5.4/data_stream/cloudtrail/manifest.yml deleted file mode 100755 index b07cc152cc..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudtrail/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: AWS CloudTrail logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS CloudTrail logs - description: Collect AWS CloudTrail logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - input: httpjson - title: AWS CloudTrail logs via Splunk Enterprise REST API - description: Collect AWS CloudTrail logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=aws:cloudtrail" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index a2a794f660..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 37c110673e..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -description: "Pipeline for CloudWatch logs" - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - grok: - field: message - patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{GREEDYDATA:aws.cloudwatch.message}" - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{GREEDYDATA:aws.cloudwatch.message}" - - - date: - field: '_tmp.timestamp' - target_field: "@timestamp" - ignore_failure: true - formats: - - 'ISO8601' - - - remove: - field: - - _tmp - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/agent.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/ecs.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/ecs.yml deleted file mode 100755 index d01d2ba53a..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/fields.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/fields.yml deleted file mode 100755 index d4d4e1925b..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/fields/fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: aws.cloudwatch - type: group - fields: - - name: message - type: text - description: | - CloudWatch log message. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_logs/manifest.yml b/packages/aws/0.5.4/data_stream/cloudwatch_logs/manifest.yml deleted file mode 100755 index de9309babb..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_logs/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: AWS CloudWatch logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS CloudWatch logs - description: Collect AWS CloudWatch logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 40e4c2530b..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["cloudwatch"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if metrics}} -metrics: {{metrics}} -{{/if}} diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/agent.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/ecs.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/fields.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/fields.yml deleted file mode 100755 index 0422c9afed..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/fields.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Metric dimensions. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/manifest.yml b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/manifest.yml deleted file mode 100755 index dae477ae67..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: AWS CloudWatch metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 300s - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: metrics - type: yaml - title: Metrics - multi: false - required: true - show_user: true - default: | - - namespace: AWS/EC2 - resource_type: ec2:instance - name: - - CPUUtilization - - DiskWriteOps - statistic: - - Average - - Maximum - # dimensions: - # - name: InstanceId - # value: i-123456 - # tags: - # - key: created-by - # value: foo - title: AWS CloudWatch metrics - description: Collect AWS CloudWatch metrics diff --git a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/sample_event.json b/packages/aws/0.5.4/data_stream/cloudwatch_metrics/sample_event.json deleted file mode 100755 index 431705cacd..0000000000 --- a/packages/aws/0.5.4/data_stream/cloudwatch_metrics/sample_event.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:17:02.812Z", - "event": { - "duration": 14119105951, - "dataset": "aws.cloudwatch", - "module": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "service": { - "type": "aws" - }, - "cloud": { - "provider": "aws", - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "aws": { - "dimensions": { - "InstanceId": "i-0830bfecfa7173cbe" - }, - "ec2": { - "metrics": { - "DiskWriteOps": { - "avg": 0, - "max": 0 - }, - "CPUUtilization": { - "avg": 0.7661943132361363, - "max": 0.833333333333333 - } - } - }, - "cloudwatch": { - "namespace": "AWS/EC2" - } - }, - "metricset": { - "period": 300000, - "name": "cloudwatch" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/dynamodb/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/dynamodb/agent/stream/stream.yml.hbs deleted file mode 100755 index 07e4a166ac..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["dynamodb"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/dynamodb/fields/agent.yml b/packages/aws/0.5.4/data_stream/dynamodb/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/dynamodb/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/dynamodb/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/dynamodb/fields/ecs.yml b/packages/aws/0.5.4/data_stream/dynamodb/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/dynamodb/fields/fields.yml b/packages/aws/0.5.4/data_stream/dynamodb/fields/fields.yml deleted file mode 100755 index abd232950d..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: aws.dynamodb - type: group - fields: - - name: metrics - type: group - fields: - - name: SuccessfulRequestLatency - type: group - fields: - - name: avg - type: double - - name: max - type: double - - name: OnlineIndexPercentageProgress.avg - type: double - description: | - The percentage of completion when a new global secondary index is being added to a table. - - name: ProvisionedWriteCapacityUnits.avg - type: double - description: | - The number of provisioned write capacity units for a table or a global secondary index. - - name: ProvisionedReadCapacityUnits.avg - type: double - description: | - The number of provisioned read capacity units for a table or a global secondary index. - - name: ConsumedReadCapacityUnits - type: group - fields: - - name: avg - type: double - - name: sum - type: long - - name: ConsumedWriteCapacityUnits - type: group - fields: - - name: avg - type: double - - name: sum - type: long - - name: ReplicationLatency - type: group - fields: - - name: avg - type: double - - name: max - type: double - - name: TransactionConflict - type: group - fields: - - name: avg - type: double - - name: sum - type: long - - name: AccountProvisionedReadCapacityUtilization.avg - type: double - description: | - The average percentage of provisioned read capacity units utilized by the account. - - name: AccountProvisionedWriteCapacityUtilization.avg - type: double - description: | - The average percentage of provisioned write capacity units utilized by the account. - - name: SystemErrors.sum - type: long - description: | - The requests to DynamoDB or Amazon DynamoDB Streams that generate an HTTP 500 status code during the specified time period. - - name: ConditionalCheckFailedRequests.sum - type: long - description: | - The number of failed attempts to perform conditional writes. - - name: PendingReplicationCount.sum - type: long - description: | - The number of item updates that are written to one replica table, but that have not yet been written to another replica in the global table. - - name: ReadThrottleEvents.sum - type: long - description: | - Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index. - - name: ThrottledRequests.sum - type: long - description: | - Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index). - - name: WriteThrottleEvents.sum - type: long - description: | - Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index. - - name: AccountMaxReads.max - type: long - description: | - The maximum number of read capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes. - - name: AccountMaxTableLevelReads.max - type: long - description: | - The maximum number of read capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum read request units a table or a global secondary index can use. - - name: AccountMaxTableLevelWrites.max - type: long - description: | - The maximum number of write capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum write request units a table or a global secondary index can use. - - name: AccountMaxWrites.max - type: long - description: | - The maximum number of write capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes. - - name: MaxProvisionedTableReadCapacityUtilization.max - type: double - description: | - The percentage of provisioned read capacity units utilized by the highest provisioned read table or global secondary index of an account. - - name: MaxProvisionedTableWriteCapacityUtilization.max - type: double - description: | - The percentage of provisioned write capacity utilized by the highest provisioned write table or global secondary index of an account. -- name: aws.cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/dynamodb/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/dynamodb/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/dynamodb/manifest.yml b/packages/aws/0.5.4/data_stream/dynamodb/manifest.yml deleted file mode 100755 index 12bec6c6e8..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS DynamoDB metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS DynamoDB metrics - description: Collect AWS DynamoDB metrics diff --git a/packages/aws/0.5.4/data_stream/dynamodb/sample_event.json b/packages/aws/0.5.4/data_stream/dynamodb/sample_event.json deleted file mode 100755 index 6973aa2c90..0000000000 --- a/packages/aws/0.5.4/data_stream/dynamodb/sample_event.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:17:08.666Z", - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "event": { - "dataset": "aws.dynamodb", - "module": "aws", - "duration": 10266182336 - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws", - "region": "eu-central-1" - }, - "aws": { - "dimensions": { - "TableName": "TryDaxTable3" - }, - "dynamodb": { - "metrics": { - "ProvisionedWriteCapacityUnits": { - "avg": 1 - }, - "ProvisionedReadCapacityUnits": { - "avg": 1 - }, - "ConsumedWriteCapacityUnits": { - "avg": 0, - "sum": 0 - }, - "ConsumedReadCapacityUnits": { - "avg": 0, - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/DynamoDB" - } - }, - "metricset": { - "name": "dynamodb", - "period": 300000 - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/ebs/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/ebs/agent/stream/stream.yml.hbs deleted file mode 100755 index b0d8e145fa..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["ebs"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/ebs/fields/agent.yml b/packages/aws/0.5.4/data_stream/ebs/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/ebs/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/ebs/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/ebs/fields/ecs.yml b/packages/aws/0.5.4/data_stream/ebs/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/ebs/fields/fields.yml b/packages/aws/0.5.4/data_stream/ebs/fields/fields.yml deleted file mode 100755 index c230284e0d..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/fields/fields.yml +++ /dev/null @@ -1,54 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: VolumeId - type: keyword - description: Amazon EBS volume ID - - name: ebs - type: group - fields: - - name: metrics - type: group - fields: - - name: VolumeReadBytes.avg - type: double - description: Average size of each read operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period. - - name: VolumeWriteBytes.avg - type: double - description: Average size of each write operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period. - - name: VolumeReadOps.avg - type: double - description: The total number of read operations in a specified period of time. - - name: VolumeWriteOps.avg - type: double - description: The total number of write operations in a specified period of time. - - name: VolumeQueueLength.avg - type: double - description: The number of read and write operation requests waiting to be completed in a specified period of time. - - name: VolumeThroughputPercentage.avg - type: double - description: The percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned for an Amazon EBS volume. Used with Provisioned IOPS SSD volumes only. - - name: VolumeConsumedReadWriteOps.avg - type: double - description: The total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time. Used with Provisioned IOPS SSD volumes only. - - name: BurstBalance.avg - type: double - description: Used with General Purpose SSD (gp2), Throughput Optimized HDD (st1), and Cold HDD (sc1) volumes only. Provides information about the percentage of I/O credits (for gp2) or throughput credits (for st1 and sc1) remaining in the burst bucket. - - name: VolumeTotalReadTime.sum - type: double - description: The total number of seconds spent by all read operations that completed in a specified period of time. - - name: VolumeTotalWriteTime.sum - type: double - description: The total number of seconds spent by all write operations that completed in a specified period of time. - - name: VolumeIdleTime.sum - type: double - description: The total number of seconds in a specified period of time when no read or write operations were submitted. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/ebs/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/ebs/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/ebs/manifest.yml b/packages/aws/0.5.4/data_stream/ebs/manifest.yml deleted file mode 100755 index 5d0cce0e85..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS EBS metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS EBS metrics - description: Collect AWS EBS metrics diff --git a/packages/aws/0.5.4/data_stream/ebs/sample_event.json b/packages/aws/0.5.4/data_stream/ebs/sample_event.json deleted file mode 100755 index ce81b383a5..0000000000 --- a/packages/aws/0.5.4/data_stream/ebs/sample_event.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:57:22.450Z", - "service": { - "type": "aws" - }, - "aws": { - "ebs": { - "metrics": { - "VolumeReadOps": { - "avg": 0 - }, - "VolumeQueueLength": { - "avg": 0.0000666666666666667 - }, - "VolumeWriteOps": { - "avg": 29 - }, - "VolumeTotalWriteTime": { - "sum": 0.02 - }, - "BurstBalance": { - "avg": 100 - }, - "VolumeWriteBytes": { - "avg": 14406.620689655172 - }, - "VolumeIdleTime": { - "sum": 299.98 - } - } - }, - "cloudwatch": { - "namespace": "AWS/EBS" - }, - "dimensions": { - "VolumeId": "vol-03370a204cc8b0a2f" - } - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "event": { - "dataset": "aws.ebs", - "module": "aws", - "duration": 10488314037 - }, - "metricset": { - "period": 300000, - "name": "ebs" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index a2a794f660..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d3a0891a15..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -description: "Pipeline for EC2 logs in CloudWatch" - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - grok: - field: message - patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{IPORHOST:aws.ec2.ip_address} %{DATA:process.name}(?:\\[%{POSINT:process.pid}\\])?: %{GREEDYDATA:message}" - - - date: - field: '_tmp.timestamp' - target_field: "@timestamp" - ignore_failure: true - formats: - - 'ISO8601' - - - remove: - field: - - _tmp - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/fields/agent.yml b/packages/aws/0.5.4/data_stream/ec2_logs/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/ec2_logs/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/fields/ecs.yml b/packages/aws/0.5.4/data_stream/ec2_logs/fields/ecs.yml deleted file mode 100755 index d01d2ba53a..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/fields/fields.yml b/packages/aws/0.5.4/data_stream/ec2_logs/fields/fields.yml deleted file mode 100755 index cf7d5a8789..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: aws.ec2 - type: group - fields: - - name: ip_address - type: keyword - description: | - The internet address of the requester. -- name: process.name - type: keyword - description: Process name. diff --git a/packages/aws/0.5.4/data_stream/ec2_logs/manifest.yml b/packages/aws/0.5.4/data_stream/ec2_logs/manifest.yml deleted file mode 100755 index 18583680ab..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_logs/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: AWS EC2 logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS EC2 logs - description: Collect AWS EC2 logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/ec2_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 5eb40ca78b..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["ec2"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/agent.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/fields/agent.yml deleted file mode 100755 index 8603c3c91e..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/agent.yml +++ /dev/null @@ -1,238 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: > - The total number of bytes write successfully in a given period of time. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/ecs.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/fields.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/fields/fields.yml deleted file mode 100755 index b2f34d3973..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/fields.yml +++ /dev/null @@ -1,161 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: AutoScalingGroupName - type: keyword - description: An Auto Scaling group is a collection of instances you define if you're using Auto Scaling. - - name: ImageId - type: keyword - description: This dimension filters the data you request for all instances running this Amazon EC2 Amazon Machine Image (AMI) - - name: InstanceId - type: keyword - description: Amazon EC2 instance ID - - name: InstanceType - type: keyword - description: This dimension filters the data you request for all instances running with this specified instance type. - - name: ec2 - type: group - fields: - - name: cpu.total.pct - type: scaled_float - description: | - The percentage of allocated EC2 compute units that are currently in use on the instance. - - name: cpu.credit_usage - type: long - description: | - The number of CPU credits spent by the instance for CPU utilization. - - name: cpu.credit_balance - type: long - description: | - The number of earned CPU credits that an instance has accrued since it was launched or started. - - name: cpu.surplus_credit_balance - type: long - description: | - The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero. - - name: cpu.surplus_credits_charged - type: long - description: | - The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge. - - name: network.in.packets - type: long - description: | - The number of packets received on all network interfaces by the instance. - - name: network.in.packets_per_sec - type: long - description: | - The number of packets per second sent out on all network interfaces by the instance. - - name: network.out.packets - type: long - description: | - The number of packets sent out on all network interfaces by the instance. - - name: network.out.packets_per_sec - type: long - description: | - The number of packets per second sent out on all network interfaces by the instance. - - name: network.in.bytes - type: long - format: bytes - description: | - The number of bytes received on all network interfaces by the instance. - - name: network.in.bytes_per_sec - type: long - description: | - The number of bytes per second received on all network interfaces by the instance. - - name: network.out.bytes - type: long - format: bytes - description: | - The number of bytes sent out on all network interfaces by the instance. - - name: network.out.bytes_per_sec - type: long - description: | - The number of bytes per second sent out on all network interfaces by the instance. - - name: diskio.read.bytes - type: long - format: bytes - description: | - Bytes read from all instance store volumes available to the instance. - - name: diskio.read.bytes_per_sec - type: long - description: | - Bytes read per second from all instance store volumes available to the instance. - - name: diskio.write.bytes - type: long - format: bytes - description: | - Bytes written to all instance store volumes available to the instance. - - name: diskio.write.bytes_per_sec - type: long - description: | - Bytes written per second to all instance store volumes available to the instance. - - name: diskio.read.count - type: long - description: | - Completed read operations from all instance store volumes available to the instance in a specified period of time. - - name: diskio.read.count_per_sec - type: long - description: | - Completed read operations per second from all instance store volumes available to the instance in a specified period of time. - - name: diskio.write.count - type: long - description: | - Completed write operations to all instance store volumes available to the instance in a specified period of time. - - name: diskio.write.count_per_sec - type: long - description: | - Completed write operations per second to all instance store volumes available to the instance in a specified period of time. - - name: status.check_failed - type: long - description: | - Reports whether the instance has passed both the instance status check and the system status check in the last minute. - - name: status.check_failed_system - type: long - description: | - Reports whether the instance has passed the system status check in the last minute. - - name: status.check_failed_instance - type: long - description: | - Reports whether the instance has passed the instance status check in the last minute. - - name: instance.core.count - type: integer - description: | - The number of CPU cores for the instance. - - name: instance.image.id - type: keyword - description: | - The ID of the image used to launch the instance. - - name: instance.monitoring.state - type: keyword - description: | - Indicates whether detailed monitoring is enabled. - - name: instance.private.dns_name - type: keyword - description: | - The private DNS name of the network interface. - - name: instance.private.ip - type: ip - description: | - The private IPv4 address associated with the network interface. - - name: instance.public.dns_name - type: keyword - description: | - The public DNS name of the instance. - - name: instance.public.ip - type: ip - description: | - The address of the Elastic IP address (IPv4) bound to the network interface. - - name: instance.state.code - type: integer - description: | - The state of the instance, as a 16-bit unsigned integer. - - name: instance.state.name - type: keyword - description: | - The state of the instance (pending | running | shutting-down | terminated | stopping | stopped). - - name: instance.threads_per_core - type: integer - description: | - The number of threads per CPU core. diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/manifest.yml b/packages/aws/0.5.4/data_stream/ec2_metrics/manifest.yml deleted file mode 100755 index 8a3d5fb87f..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS EC2 metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS EC2 metrics - description: Collect AWS EC2 metrics diff --git a/packages/aws/0.5.4/data_stream/ec2_metrics/sample_event.json b/packages/aws/0.5.4/data_stream/ec2_metrics/sample_event.json deleted file mode 100755 index ffdd822660..0000000000 --- a/packages/aws/0.5.4/data_stream/ec2_metrics/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:56:37.255Z", - "aws": { - "ec2": { - "network": { - "in": { - "packets": 448.4, - "bytes_per_sec": 103.10266666666666, - "packets_per_sec": 1.4946666666666666, - "bytes": 30930.8 - }, - "out": { - "packets": 233.6, - "bytes_per_sec": 51.754666666666665, - "packets_per_sec": 0.7786666666666666, - "bytes": 15526.4 - } - }, - "status": { - "check_failed": 0, - "check_failed_instance": 0, - "check_failed_system": 0 - }, - "cpu": { - "credit_usage": 0.004566, - "credit_balance": 144, - "surplus_credit_balance": 0, - "surplus_credits_charged": 0, - "total": { - "pct": 0.0999999999997574 - } - }, - "diskio": { - "read": { - "bytes_per_sec": 0, - "count_per_sec": 0, - "bytes": 0, - "count": 0 - }, - "write": { - "count": 0, - "bytes_per_sec": 0, - "count_per_sec": 0, - "bytes": 0 - } - }, - "instance": { - "core": { - "count": 1 - }, - "threads_per_core": 1, - "public": { - "ip": "3.122.204.80", - "dns_name": "" - }, - "private": { - "ip": "10.0.0.122", - "dns_name": "ip-10-0-0-122.eu-central-1.compute.internal" - }, - "image": { - "id": "ami-0b418580298265d5c" - }, - "state": { - "name": "running", - "code": 16 - }, - "monitoring": { - "state": "disabled" - } - } - } - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - }, - "ecs": { - "version": "1.5.0" - }, - "event": { - "module": "aws", - "duration": 23217499283, - "dataset": "aws.ec2" - }, - "metricset": { - "period": 300000, - "name": "ec2" - }, - "service": { - "type": "aws" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "instance": { - "id": "i-04c1a32c2aace6b40" - }, - "machine": { - "type": "t2.micro" - }, - "availability_zone": "eu-central-1a" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index a2a794f660..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a40e1676b8..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,226 +0,0 @@ ---- -description: "Pipeline for ELB logs" - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - grok: - field: message - # Classic ELB patterns documented in https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html - # ELB v2 Application load balancers https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html - # ELB v2 Netwwork load balancers https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html - # - patterns: - # HTTP (Classic ELB) - - >- - %{ELBHTTPLOG} - - # TCP (Classic ELB) - - >- - %{ELBTCPLOG} - - # HTTP from Application Load Balancers (v2 Load Balancers) - - >- - %{ELBV2TYPE} - %{ELBHTTPLOG} - %{NOTSPACE:aws.elb.target_group.arn} - \"%{DATA:aws.elb.trace_id}\" - \"(?:-|%{DATA:destination.domain})\" - \"(?:-|%{DATA:aws.elb.chosen_cert.arn})\" - (?:-1|%{NUMBER:aws.elb.matched_rule_priority}) - %{TIMESTAMP_ISO8601:event.start} - \"(?:-|%{DATA:_tmp.actions_executed})\" - \"(?:-|%{DATA:aws.elb.redirect_url})\" - \"(?:-|%{DATA:aws.elb.error.reason})\"( \"(?:-|%{DATA:_tmp.target_port})\")?( \"(?:-|%{DATA:_tmp.target_status_code})\")?( \"(?:-|%{DATA:aws.elb.classification})\")?( \"(?:-|%{DATA:aws.elb.classification_reason})\")? - - # TCP from Network Load Balancers (v2 Load Balancers) - - >- - %{ELBV2TYPE} - %{ELBV2LOGVERSION} - %{ELBTIMESTAMP} - %{ELBNAME} - %{NOTSPACE:aws.elb.listener} - %{ELBSOURCE} - %{ELBBACKEND} - %{NUMBER:aws.elb.connection_time.ms:float} - %{NUMBER:aws.elb.tls_handshake_time.ms:float} - %{NUMBER:source.bytes:long} - %{NUMBER:destination.bytes:long} - (?:-|%{NUMBER:aws.elb.incoming_tls_alert}) - (?:-|%{NOTSPACE:aws.elb.chosen_cert.arn}) - (?:-|%{NOTSPACE:aws.elb.chosen_cert.serial}) - %{ELBSSL} - (?:-|%{NOTSPACE:aws.elb.ssl_named_group}) - (?:-|%{NOTSPACE:destination.domain}) - - pattern_definitions: - ELBTIMESTAMP: '%{TIMESTAMP_ISO8601:_tmp.timestamp}' - ELBNAME: '%{NOTSPACE:aws.elb.name}' - ELBSOURCE: '%{IP:source.ip}:%{POSINT:source.port}' - ELBBACKEND: '(?:-|%{IP:aws.elb.backend.ip}:%{POSINT:aws.elb.backend.port})' - ELBPROCESSINGTIME: >- - (?:-1|%{NUMBER:aws.elb.request_processing_time.sec:float}) - (?:-1|%{NUMBER:aws.elb.backend_processing_time.sec:float}) - (?:-1|%{NUMBER:aws.elb.response_processing_time.sec:float}) - ELBSSL: >- - (?:-|%{NOTSPACE:aws.elb.ssl_cipher}) - (?:-|%{NOTSPACE:aws.elb.ssl_protocol}) - ELBCOMMON: >- - %{ELBTIMESTAMP} - %{ELBNAME} - %{ELBSOURCE} - %{ELBBACKEND} - %{ELBPROCESSINGTIME} - ELBHTTPLOG: >- - %{ELBCOMMON} - %{NUMBER:http.response.status_code:long} - (?:-|%{NUMBER:aws.elb.backend.http.response.status_code:long}) - %{NUMBER:http.request.body.bytes:long} - %{NUMBER:http.response.body.bytes:long} - \"(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|HTTP/%{NOTSPACE:http.version})\" - \"%{DATA:user_agent.original}\" - %{ELBSSL} - ELBTCPLOG: >- - %{ELBCOMMON} - - - - - %{NUMBER:source.bytes:long} - %{NUMBER:destination.bytes:long} - \"- - - \" - \"-\" - %{ELBSSL} - ELBV2TYPE: '%{WORD:aws.elb.type}' - ELBV2LOGVERSION: '%{NOTSPACE}' # Could be used to support different log versions, only 1.0 exists now - - - set: - field: event.kind - value: event - - - set: - field: cloud.provider - value: aws - - - set: - if: 'ctx.http != null' - field: 'aws.elb.protocol' - value: 'http' - - - set: - if: 'ctx.http != null' - field: event.category - value: web - - - set: - if: 'ctx.http == null' - field: 'aws.elb.protocol' - value: 'tcp' - - - set: - if: 'ctx.http == null' - field: event.category - value: network - - - set: - if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400' - field: event.outcome - value: success - - - set: - if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400' - field: event.outcome - value: failure - - - lowercase: - field: http.request.method - ignore_missing: true - - - set: - if: "ctx?.aws?.elb?.trace_id != null" - field: tracing.trace.id - value: "{{aws.elb.trace_id}}" - - - split: - field: '_tmp.actions_executed' - target_field: 'aws.elb.action_executed' - separator: ',' - ignore_missing: true - - - split: - field: '_tmp.target_port' - target_field: 'aws.elb.target_port' - separator: ' ' - ignore_missing: true - - - split: - field: '_tmp.target_status_code' - target_field: 'aws.elb.target_status_code' - separator: ' ' - ignore_missing: true - - - date: - field: '_tmp.timestamp' - formats: - - 'ISO8601' - - - set: - field: 'event.end' - value: '{{ @timestamp }}' - - - geoip: - field: 'source.ip' - target_field: 'source.geo' - ignore_missing: true - - - geoip: - database_file: 'GeoLite2-ASN.mmdb' - field: 'source.ip' - target_field: 'source.as' - properties: - - 'asn' - - 'organization_name' - ignore_missing: true - - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - - set: - field: tls.cipher - value: '{{aws.elb.ssl_cipher}}' - if: ctx.aws?.elb?.ssl_cipher != null - - - script: - lang: painless - if: ctx.aws?.elb?.ssl_protocol != null - source: >- - def parts = ctx.aws.elb.ssl_protocol.splitOnToken("v"); - if (parts.length != 2) { - return; - } - if (parts[1].contains(".")) { - ctx.tls.version = parts[1]; - } else { - ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); - } - ctx.tls.version_protocol = parts[0].toLowerCase(); - - - remove: - field: - - message - - _tmp - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/elb_logs/fields/agent.yml b/packages/aws/0.5.4/data_stream/elb_logs/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/elb_logs/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/elb_logs/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/elb_logs/fields/ecs.yml b/packages/aws/0.5.4/data_stream/elb_logs/fields/ecs.yml deleted file mode 100755 index d01d2ba53a..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. diff --git a/packages/aws/0.5.4/data_stream/elb_logs/fields/fields.yml b/packages/aws/0.5.4/data_stream/elb_logs/fields/fields.yml deleted file mode 100755 index a93a869422..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/fields/fields.yml +++ /dev/null @@ -1,197 +0,0 @@ -- name: aws.elb - type: group - fields: - - name: name - type: keyword - description: | - The name of the load balancer. - - name: type - type: keyword - description: | - The type of the load balancer for v2 Load Balancers. - - name: target_group.arn - type: keyword - description: | - The ARN of the target group handling the request. - - name: listener - type: keyword - description: | - The ELB listener that received the connection. - - name: protocol - type: keyword - description: | - The protocol of the load balancer (http or tcp). - - name: request_processing_time.sec - type: float - description: | - The total time in seconds since the connection or request is received until it is sent to a registered backend. - - name: backend_processing_time.sec - type: float - description: | - The total time in seconds since the connection is sent to the backend till the backend starts responding. - - name: response_processing_time.sec - type: float - description: | - The total time in seconds since the response is received from the backend till it is sent to the client. - - name: connection_time.ms - type: long - description: | - The total time of the connection in milliseconds, since it is opened till it is closed. - - name: tls_handshake_time.ms - type: long - description: | - The total time for the TLS handshake to complete in milliseconds once the connection has been established. - - name: backend.ip - type: keyword - description: | - The IP address of the backend processing this connection. - - name: backend.port - type: keyword - description: | - The port in the backend processing this connection. - - name: backend.http.response.status_code - type: long - description: | - The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code` - - name: ssl_cipher - type: keyword - description: | - The SSL cipher used in TLS/SSL connections. - - name: ssl_protocol - type: keyword - description: | - The SSL protocol used in TLS/SSL connections. - - name: chosen_cert.arn - type: keyword - description: | - The ARN of the chosen certificate presented to the client in TLS/SSL connections. - - name: chosen_cert.serial - type: keyword - description: | - The serial number of the chosen certificate presented to the client in TLS/SSL connections. - - name: incoming_tls_alert - type: keyword - description: | - The integer value of TLS alerts received by the load balancer from the client, if present. - - name: tls_named_group - type: keyword - description: | - The TLS named group. - - name: trace_id - type: keyword - description: | - The contents of the `X-Amzn-Trace-Id` header. - - name: matched_rule_priority - type: keyword - description: | - The priority value of the rule that matched the request, if a rule matched. - - name: action_executed - type: keyword - description: | - The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values. - - name: redirect_url - type: keyword - description: | - The URL used if a redirection action was executed. - - name: error.reason - type: keyword - description: | - The error reason if the executed action failed. - - name: target_port - type: keyword - description: > - List of IP addresses and ports for the targets that processed this request. - - - name: target_status_code - type: keyword - description: > - List of status codes from the responses of the targets. - - - name: classification - type: keyword - description: > - The classification for desync mitigation. - - - name: classification_reason - type: keyword - description: > - The classification reason code. - -- name: destination.domain - type: keyword - description: Destination domain. -- name: event.start - type: date - description: event.start contains the date when the event started or when the activity was first observed. -- name: destination.bytes - type: long - description: Bytes sent from the destination to the source. -- name: http.response.status_code - type: long - description: HTTP response status code. -- name: http.request.body.bytes - type: long - description: Size in bytes of the request body. -- name: http.response.body.bytes - type: long - description: Size in bytes of the response body. -- name: http.request.method - type: keyword - description: HTTP request method. -- name: http.request.referrer - type: keyword - description: Referrer for this HTTP request. -- name: http.version - type: keyword - description: HTTP version. -- name: user_agent.original - type: keyword - description: Unparsed user_agent string. -- name: cloud.provider - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. -- name: event.kind - type: keyword - description: Event kind (e.g. event, alert, metric, state, pipeline_error, sig -- name: event.category - type: keyword - description: Event category (e.g. database) -- name: event.outcome - type: keyword - description: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -- name: tracing.trace.id - type: keyword - description: Unique identifier of the trace. -- name: event.end - type: date - description: event.end contains the date when the event ended or when the activity was last observed. -- name: source.ip - type: ip - description: IP address of the source. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.city_name - type: keyword - description: City name. -- name: source.geo.continent_name - type: keyword - description: Name of the continent. -- name: source.geo.country_iso_code - type: keyword - description: Country ISO code. -- name: source.geo.location - type: geo_point - description: Longitude and latitude. -- name: source.geo.region_iso_code - type: keyword - description: Region ISO code. -- name: source.geo.region_name - type: keyword - description: Region name. -- name: source.port - type: keyword - description: Port of the source. diff --git a/packages/aws/0.5.4/data_stream/elb_logs/manifest.yml b/packages/aws/0.5.4/data_stream/elb_logs/manifest.yml deleted file mode 100755 index 88c6492db5..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_logs/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: AWS ELB logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS ELB logs - description: Collect AWS ELB logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/elb_metrics/agent/stream/stream.yml.hbs deleted file mode 100755 index 57c5acdd4c..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["elb"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/fields/agent.yml b/packages/aws/0.5.4/data_stream/elb_metrics/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/elb_metrics/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/fields/ecs.yml b/packages/aws/0.5.4/data_stream/elb_metrics/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/fields/fields.yml b/packages/aws/0.5.4/data_stream/elb_metrics/fields/fields.yml deleted file mode 100755 index dd916b17f4..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/fields/fields.yml +++ /dev/null @@ -1,201 +0,0 @@ -- name: aws - type: group - fields: - - name: elb - type: group - fields: - - name: metrics - type: group - fields: - - name: BackendConnectionErrors.sum - type: long - description: The number of connections that were not successfully established between the load balancer and the registered instances. - - name: HTTPCode_Backend_2XX.sum - type: long - description: The number of HTTP 2XX response code generated by registered instances. - - name: HTTPCode_Backend_3XX.sum - type: long - description: The number of HTTP 3XX response code generated by registered instances. - - name: HTTPCode_Backend_4XX.sum - type: long - description: The number of HTTP 4XX response code generated by registered instances. - - name: HTTPCode_Backend_5XX.sum - type: long - description: The number of HTTP 5XX response code generated by registered instances. - - name: HTTPCode_ELB_4XX.sum - type: long - description: The number of HTTP 4XX client error codes generated by the load balancer. - - name: HTTPCode_ELB_5XX.sum - type: long - description: The number of HTTP 5XX server error codes generated by the load balancer. - - name: RequestCount.sum - type: long - description: The number of requests completed or connections made during the specified interval. - - name: SpilloverCount.sum - type: long - description: The total number of requests that were rejected because the surge queue is full. - - name: HealthyHostCount.max - type: long - description: The number of healthy instances registered with your load balancer. - - name: SurgeQueueLength.max - type: long - description: The total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance. - - name: UnHealthyHostCount.max - type: long - description: The number of unhealthy instances registered with your load balancer. - - name: Latency.avg - type: double - description: The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers. - - name: EstimatedALBActiveConnectionCount.avg - type: double - description: The estimated number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. - - name: EstimatedALBConsumedLCUs.avg - type: double - description: The estimated number of load balancer capacity units (LCU) used by an Application Load Balancer. - - name: EstimatedALBNewConnectionCount.avg - type: double - description: The estimated number of new TCP connections established from clients to the load balancer and from the load balancer to targets. - - name: EstimatedProcessedBytes.avg - type: double - description: The estimated number of bytes processed by an Application Load Balancer. - - name: applicationelb - type: group - fields: - - name: metrics - type: group - fields: - - name: ActiveConnectionCount.sum - type: long - description: The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. - - name: ClientTLSNegotiationErrorCount.sum - type: long - description: The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error. - - name: HTTP_Fixed_Response_Count.sum - type: long - description: The number of fixed-response actions that were successful. - - name: HTTP_Redirect_Count.sum - type: long - description: The number of redirect actions that were successful. - - name: HTTP_Redirect_Url_Limit_Exceeded_Count.sum - type: long - description: The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K. - - name: HTTPCode_ELB_3XX_Count.sum - type: long - description: The number of HTTP 3XX redirection codes that originate from the load balancer. - - name: HTTPCode_ELB_4XX_Count.sum - type: long - description: The number of HTTP 4XX client error codes that originate from the load balancer. - - name: HTTPCode_ELB_5XX_Count.sum - type: long - description: The number of HTTP 5XX server error codes that originate from the load balancer. - - name: HTTPCode_ELB_500_Count.sum - type: long - description: The number of HTTP 500 error codes that originate from the load balancer. - - name: HTTPCode_ELB_502_Count.sum - type: long - description: The number of HTTP 502 error codes that originate from the load balancer. - - name: HTTPCode_ELB_503_Count.sum - type: long - description: The number of HTTP 503 error codes that originate from the load balancer. - - name: HTTPCode_ELB_504_Count.sum - type: long - description: The number of HTTP 504 error codes that originate from the load balancer. - - name: IPv6ProcessedBytes.sum - type: long - description: The total number of bytes processed by the load balancer over IPv6. - - name: IPv6RequestCount.sum - type: long - description: The number of IPv6 requests received by the load balancer. - - name: NewConnectionCount.sum - type: long - description: The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets. - - name: ProcessedBytes.sum - type: long - description: The total number of bytes processed by the load balancer over IPv4 and IPv6. - - name: RejectedConnectionCount.sum - type: long - description: The number of connections that were rejected because the load balancer had reached its maximum number of connections. - - name: RequestCount.sum - type: long - description: The number of requests processed over IPv4 and IPv6. - - name: RuleEvaluations.sum - type: long - description: The number of rules processed by the load balancer given a request rate averaged over an hour. - - name: ConsumedLCUs.avg - type: double - description: The number of load balancer capacity units (LCU) used by your load balancer. - - name: networkelb - type: group - fields: - - name: metrics - type: group - fields: - - name: ActiveFlowCount.avg - type: double - description: The total number of concurrent flows (or connections) from clients to targets. - - name: ActiveFlowCount_TCP.avg - type: double - description: The total number of concurrent TCP flows (or connections) from clients to targets. - - name: ActiveFlowCount_TLS.avg - type: double - description: The total number of concurrent TLS flows (or connections) from clients to targets. - - name: ActiveFlowCount_UDP.avg - type: double - description: The total number of concurrent UDP flows (or connections) from clients to targets. - - name: ConsumedLCUs.avg - type: double - description: The number of load balancer capacity units (LCU) used by your load balancer. - - name: ClientTLSNegotiationErrorCount.sum - type: long - description: The total number of TLS handshakes that failed during negotiation between a client and a TLS listener. - - name: NewFlowCount.sum - type: long - description: The total number of new flows (or connections) established from clients to targets in the time period. - - name: NewFlowCount_TLS.sum - type: long - description: The total number of new TLS flows (or connections) established from clients to targets in the time period. - - name: ProcessedBytes.sum - type: long - description: The total number of bytes processed by the load balancer, including TCP/IP headers. - - name: ProcessedBytes_TLS.sum - type: long - description: The total number of bytes processed by TLS listeners. - - name: TargetTLSNegotiationErrorCount.sum - type: long - description: The total number of TLS handshakes that failed during negotiation between a TLS listener and a target. - - name: TCP_Client_Reset_Count.sum - type: long - description: The total number of reset (RST) packets sent from a client to a target. - - name: TCP_ELB_Reset_Count.sum - type: long - description: The total number of reset (RST) packets generated by the load balancer. - - name: TCP_Target_Reset_Count.sum - type: long - description: The total number of reset (RST) packets sent from a target to a client. - - name: HealthyHostCount.max - type: long - description: The number of targets that are considered healthy. - - name: UnHealthyHostCount.max - type: long - description: The number of targets that are considered unhealthy. - - name: dimensions - type: group - fields: - - name: AvailabilityZone - type: keyword - description: Filters the metric data by the specified Availability Zone. - - name: LoadBalancerName - type: keyword - description: Filters the metric data by the specified load balancer. - - name: LoadBalancer - type: keyword - description: Filters the metric data by load balancer. - - name: TargetGroup - type: keyword - description: Filters the metric data by target group. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/elb_metrics/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/manifest.yml b/packages/aws/0.5.4/data_stream/elb_metrics/manifest.yml deleted file mode 100755 index 1e6ed4e207..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS ELB metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS ELB metrics - description: Collect AWS ELB metrics diff --git a/packages/aws/0.5.4/data_stream/elb_metrics/sample_event.json b/packages/aws/0.5.4/data_stream/elb_metrics/sample_event.json deleted file mode 100755 index d187909719..0000000000 --- a/packages/aws/0.5.4/data_stream/elb_metrics/sample_event.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:30.211Z", - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "aws": { - "elb": { - "metrics": { - "EstimatedALBNewConnectionCount": { - "avg": 32 - }, - "EstimatedALBConsumedLCUs": { - "avg": 0.00035000000000000005 - }, - "EstimatedProcessedBytes": { - "avg": 967 - }, - "EstimatedALBActiveConnectionCount": { - "avg": 5 - }, - "HealthyHostCount": { - "max": 2 - }, - "UnHealthyHostCount": { - "max": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/ELB" - }, - "dimensions": { - "LoadBalancerName": "filebeat-aws-elb-test-elb" - } - }, - "metricset": { - "name": "elb", - "period": 60000 - }, - "event": { - "dataset": "aws.elb", - "module": "aws", - "duration": 15044430616 - }, - "service": { - "type": "aws" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/lambda/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/lambda/agent/stream/stream.yml.hbs deleted file mode 100755 index cf17d23388..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["lambda"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/lambda/fields/agent.yml b/packages/aws/0.5.4/data_stream/lambda/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/lambda/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/lambda/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/lambda/fields/ecs.yml b/packages/aws/0.5.4/data_stream/lambda/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/lambda/fields/fields.yml b/packages/aws/0.5.4/data_stream/lambda/fields/fields.yml deleted file mode 100755 index 5209e0d30e..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/fields/fields.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: FunctionName - type: keyword - description: Lambda function name. - - name: Resource - type: keyword - description: Resource name. - - name: ExecutedVersion - type: keyword - description: Use the ExecutedVersion dimension to compare error rates for two versions of a function that are both targets of a weighted alias. - - name: lambda - type: group - fields: - - name: metrics - type: group - fields: - - name: Invocations.avg - type: double - description: The number of times your function code is executed, including successful executions and executions that result in a function error. - - name: Errors.avg - type: double - description: The number of invocations that result in a function error. - - name: DeadLetterErrors.avg - type: double - description: For asynchronous invocation, the number of times Lambda attempts to send an event to a dead-letter queue but fails. - - name: DestinationDeliveryFailures.avg - type: double - description: For asynchronous invocation, the number of times Lambda attempts to send an event to a destination but fails. - - name: Duration.avg - type: double - description: The amount of time that your function code spends processing an event. - - name: Throttles.avg - type: double - description: The number of invocation requests that are throttled. - - name: IteratorAge.avg - type: double - description: For event source mappings that read from streams, the age of the last record in the event. - - name: ConcurrentExecutions.avg - type: double - description: The number of function instances that are processing events. - - name: UnreservedConcurrentExecutions.avg - type: double - description: For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency. - - name: ProvisionedConcurrentExecutions.max - type: long - description: The number of function instances that are processing events on provisioned concurrency. - - name: ProvisionedConcurrencyUtilization.max - type: long - description: For a version or alias, the value of ProvisionedConcurrentExecutions divided by the total amount of provisioned concurrency allocated. - - name: ProvisionedConcurrencyInvocations.sum - type: long - description: The number of times your function code is executed on provisioned concurrency. - - name: ProvisionedConcurrencySpilloverInvocations.sum - type: long - description: The number of times your function code is executed on standard concurrency when all provisioned concurrency is in use. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/lambda/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/lambda/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/lambda/manifest.yml b/packages/aws/0.5.4/data_stream/lambda/manifest.yml deleted file mode 100755 index 5e0684218b..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS Lambda metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS Lambda metrics - description: Collect AWS Lambda metrics diff --git a/packages/aws/0.5.4/data_stream/lambda/sample_event.json b/packages/aws/0.5.4/data_stream/lambda/sample_event.json deleted file mode 100755 index b1542233bd..0000000000 --- a/packages/aws/0.5.4/data_stream/lambda/sample_event.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:17:08.666Z", - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "event": { - "dataset": "aws.dynamodb", - "module": "aws", - "duration": 10266182336 - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws", - "region": "eu-central-1" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/Lambda" - }, - "dimensions": { - "FunctionName": "ec2-owner-tagger-serverless", - "Resource": "ec2-owner-tagger-serverless" - }, - "lambda": { - "metrics": { - "Duration": { - "avg": 8218.073333333334 - }, - "Errors": { - "avg": 1 - }, - "Invocations": { - "avg": 1 - }, - "Throttles": { - "avg": 0 - } - } - } - }, - "metricset": { - "name": "dynamodb", - "period": 300000 - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/natgateway/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/natgateway/agent/stream/stream.yml.hbs deleted file mode 100755 index 94bed66ae8..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["natgateway"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/natgateway/fields/agent.yml b/packages/aws/0.5.4/data_stream/natgateway/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/natgateway/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/natgateway/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/natgateway/fields/ecs.yml b/packages/aws/0.5.4/data_stream/natgateway/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/natgateway/fields/fields.yml b/packages/aws/0.5.4/data_stream/natgateway/fields/fields.yml deleted file mode 100755 index c3e7172455..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/fields/fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: NatGatewayId - type: keyword - description: Filter the metric data by the NAT gateway ID. - - name: natgateway - type: group - fields: - - name: metrics - type: group - fields: - - name: BytesInFromDestination.sum - type: long - description: The number of bytes received by the NAT gateway from the destination. - - name: BytesInFromSource.sum - type: long - description: The number of bytes received by the NAT gateway from clients in your VPC. - - name: BytesOutToDestination.sum - type: long - description: The number of bytes sent out through the NAT gateway to the destination. - - name: BytesOutToSource.sum - type: long - description: The number of bytes sent through the NAT gateway to the clients in your VPC. - - name: ConnectionAttemptCount.sum - type: long - description: The number of connection attempts made through the NAT gateway. - - name: ConnectionEstablishedCount.sum - type: long - description: The number of connections established through the NAT gateway. - - name: ErrorPortAllocation.sum - type: long - description: The number of times the NAT gateway could not allocate a source port. - - name: IdleTimeoutCount.sum - type: long - description: The number of connections that transitioned from the active state to the idle state. - - name: PacketsDropCount.sum - type: long - description: The number of packets dropped by the NAT gateway. - - name: PacketsInFromDestination.sum - type: long - description: The number of packets received by the NAT gateway from the destination. - - name: PacketsInFromSource.sum - type: long - description: The number of packets received by the NAT gateway from clients in your VPC. - - name: PacketsOutToDestination.sum - type: long - description: The number of packets sent out through the NAT gateway to the destination. - - name: PacketsOutToSource.sum - type: long - description: The number of packets sent through the NAT gateway to the clients in your VPC. - - name: ActiveConnectionCount.max - type: long - description: The total number of concurrent active TCP connections through the NAT gateway. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/natgateway/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/natgateway/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/natgateway/manifest.yml b/packages/aws/0.5.4/data_stream/natgateway/manifest.yml deleted file mode 100755 index fc6cf801c3..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS NAT gateway metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS NAT gateway metrics - description: Collect AWS NAT gateway metrics diff --git a/packages/aws/0.5.4/data_stream/natgateway/sample_event.json b/packages/aws/0.5.4/data_stream/natgateway/sample_event.json deleted file mode 100755 index 11f136cd63..0000000000 --- a/packages/aws/0.5.4/data_stream/natgateway/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/NATGateway" - }, - "dimensions": { - "NatGatewayId": "nat-0a5cb7b9807908cc0" - }, - "natgateway": { - "metrics": { - "ActiveConnectionCount": { - "max": 0 - }, - "BytesInFromDestination": { - "sum": 0 - }, - "BytesInFromSource": { - "sum": 0 - }, - "BytesOutToDestination": { - "sum": 0 - }, - "BytesOutToSource": { - "sum": 0 - }, - "ConnectionAttemptCount": { - "sum": 0 - }, - "ConnectionEstablishedCount": { - "sum": 0 - }, - "ErrorPortAllocation": { - "sum": 0 - }, - "PacketsDropCount": { - "sum": 0 - }, - "PacketsInFromDestination": { - "sum": 0 - }, - "PacketsInFromSource": { - "sum": 0 - }, - "PacketsOutToDestination": { - "sum": 0 - }, - "PacketsOutToSource": { - "sum": 0 - } - } - } - }, - "event": { - "dataset": "aws.natgateway", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "natgateway" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/rds/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/rds/agent/stream/stream.yml.hbs deleted file mode 100755 index bf6deefcf8..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["rds"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/rds/fields/agent.yml b/packages/aws/0.5.4/data_stream/rds/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/rds/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/rds/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/rds/fields/ecs.yml b/packages/aws/0.5.4/data_stream/rds/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/rds/fields/fields.yml b/packages/aws/0.5.4/data_stream/rds/fields/fields.yml deleted file mode 100755 index 5f0deb4866..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/fields/fields.yml +++ /dev/null @@ -1,345 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: DBInstanceIdentifier - type: keyword - description: This dimension filters the data that you request for a specific DB instance. - - name: DBClusterIdentifier - type: keyword - description: This dimension filters the data that you request for a specific Amazon Aurora DB cluster. - - name: DBClusterIdentifier,Role - type: keyword - description: This dimension filters the data that you request for a specific Aurora DB cluster, aggregating the metric by instance role (WRITER/READER). - - name: DbClusterIdentifier, EngineName - type: keyword - description: This dimension filters the data that you request for a specific Aurora DB cluster, aggregating the metric by engine name. - - name: DatabaseClass - type: keyword - description: This dimension filters the data that you request for all instances in a database class. - - name: EngineName - type: keyword - description: This dimension filters the data that you request for the identified engine name only. - - name: SourceRegion - type: keyword - description: This dimension filters the data that you request for the specified region only. - - name: rds - type: group - fields: - - name: cpu.total.pct - type: scaled_float - format: percent - description: | - The percentage of CPU utilization. - - name: cpu.credit_usage - type: long - description: | - The number of CPU credits spent by the instance for CPU utilization. - - name: cpu.credit_balance - type: long - description: | - The number of earned CPU credits that an instance has accrued since it was launched or started. - - name: database_connections - type: long - description: | - The number of database connections in use. - - name: db_instance.arn - type: keyword - description: | - Amazon Resource Name(ARN) for each rds. - - name: db_instance.class - type: keyword - description: | - Contains the name of the compute and memory capacity class of the DB instance. - - name: db_instance.identifier - type: keyword - description: | - Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance. - - name: db_instance.status - type: keyword - description: | - Specifies the current state of this database. - - name: disk_queue_depth - type: float - description: | - The number of outstanding IOs (read/write requests) waiting to access the disk. - - name: failed_sql_server_agent_jobs - type: long - description: | - The number of failed SQL Server Agent jobs during the last minute. - - name: freeable_memory.bytes - type: long - format: bytes - description: | - The amount of available random access memory. - - name: free_storage.bytes - type: long - format: bytes - description: | - The amount of available storage space. - - name: maximum_used_transaction_ids - type: long - description: | - The maximum transaction ID that has been used. Applies to PostgreSQL. - - name: oldest_replication_slot_lag.mb - type: long - description: | - The lagging size of the replica lagging the most in terms of WAL data received. Applies to PostgreSQL. - - name: read_io.ops_per_sec - type: float - description: | - The average number of disk read I/O operations per second. - - name: replica_lag.sec - type: long - format: duration - description: | - The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas. - - name: swap_usage.bytes - type: long - format: bytes - description: | - The amount of swap space used on the DB instance. This metric is not available for SQL Server. - - name: transaction_logs_generation - type: long - description: | - The disk space used by transaction logs. Applies to PostgreSQL. - - name: write_io.ops_per_sec - type: float - description: | - The average number of disk write I/O operations per second. - - name: queries - type: long - description: | - The average number of queries executed per second. - - name: deadlocks - type: long - description: | - The average number of deadlocks in the database per second. - - name: volume_used.bytes - type: long - format: bytes - description: | - The amount of storage used by your Aurora DB instance, in bytes. - - name: volume.read.iops - type: long - format: bytes - description: | - The number of billed read I/O operations from a cluster volume, reported at 5-minute intervals. - - name: volume.write.iops - type: long - format: bytes - description: | - The number of write disk I/O operations to the cluster volume, reported at 5-minute intervals. - - name: free_local_storage.bytes - type: long - format: bytes - description: | - The amount of storage available for temporary tables and logs, in bytes. - - name: login_failures - type: long - description: | - The average number of failed login attempts per second. - - name: throughput.commit - type: float - description: | - The average number of commit operations per second. - - name: throughput.delete - type: float - description: | - The average number of delete queries per second. - - name: throughput.ddl - type: float - description: | - The average number of DDL requests per second. - - name: throughput.dml - type: float - description: | - The average number of inserts, updates, and deletes per second. - - name: throughput.insert - type: float - description: | - The average number of insert queries per second. - - name: throughput.network - type: float - description: | - The amount of network throughput both received from and transmitted to clients by each instance in the Aurora MySQL DB cluster, in bytes per second. - - name: throughput.network_receive - type: float - description: | - The incoming (Receive) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication. - - name: throughput.network_transmit - type: float - description: | - The outgoing (Transmit) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication. - - name: throughput.read - type: float - description: | - The average amount of time taken per disk I/O operation. - - name: throughput.select - type: float - description: | - The average number of select queries per second. - - name: throughput.update - type: float - description: | - The average number of update queries per second. - - name: throughput.write - type: float - description: | - The average number of bytes written to disk per second. - - name: latency.commit - type: float - format: duration - description: | - The amount of latency for commit operations, in milliseconds. - - name: latency.ddl - type: float - format: duration - description: | - The amount of latency for data definition language (DDL) requests, in milliseconds. - - name: latency.dml - type: float - format: duration - description: | - The amount of latency for inserts, updates, and deletes, in milliseconds. - - name: latency.insert - type: float - format: duration - description: | - The amount of latency for insert queries, in milliseconds. - - name: latency.read - type: float - format: duration - description: | - The average amount of time taken per disk I/O operation. - - name: latency.select - type: float - format: duration - description: | - The amount of latency for select queries, in milliseconds. - - name: latency.update - type: float - format: duration - description: | - The amount of latency for update queries, in milliseconds. - - name: latency.write - type: float - format: duration - description: | - The average amount of time taken per disk I/O operation. - - name: latency.delete - type: float - format: duration - description: | - The amount of latency for delete queries, in milliseconds. - - name: disk_usage.bin_log.bytes - type: long - format: bytes - description: | - The amount of disk space occupied by binary logs on the master. Applies to MySQL read replicas. - - name: disk_usage.replication_slot.mb - type: long - description: | - The disk space used by replication slot files. Applies to PostgreSQL. - - name: disk_usage.transaction_logs.mb - type: long - description: | - The disk space used by transaction logs. Applies to PostgreSQL. - - name: transactions.active - type: long - description: | - The average number of current transactions executing on an Aurora database instance per second. - - name: transactions.blocked - type: long - description: | - The average number of transactions in the database that are blocked per second. - - name: db_instance.db_cluster_identifier - type: keyword - description: | - This identifier is the unique key that identifies a DB cluster specifically for Amazon Aurora DB cluster. - - name: db_instance.role - type: keyword - description: | - DB roles like WRITER or READER, specifically for Amazon Aurora DB cluster. - - name: db_instance.engine_name - type: keyword - description: | - Each DB instance runs a DB engine, like MySQL, MariaDB, PostgreSQL and etc. - - name: aurora_bin_log_replica_lag - type: long - description: | - The amount of time a replica DB cluster running on Aurora with MySQL compatibility lags behind the source DB cluster. - - name: aurora_global_db.replicated_write_io.bytes - type: long - description: | - In an Aurora Global Database, the number of write I/O operations replicated from the primary AWS Region to the cluster volume in a secondary AWS Region. - - name: aurora_global_db.data_transfer.bytes - type: long - description: | - In an Aurora Global Database, the amount of redo log data transferred from the master AWS Region to a secondary AWS Region. - - name: aurora_global_db.replication_lag.ms - type: long - description: | - For an Aurora Global Database, the amount of lag when replicating updates from the primary AWS Region, in milliseconds. - - name: aurora_replica.lag.ms - type: long - description: | - For an Aurora Replica, the amount of lag when replicating updates from the primary instance, in milliseconds. - - name: aurora_replica.lag_max.ms - type: long - description: | - The maximum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds. - - name: aurora_replica.lag_min.ms - type: long - description: | - The minimum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds. - - name: backtrack_change_records.creation_rate - type: long - description: | - The number of backtrack change records created over five minutes for your DB cluster. - - name: backtrack_change_records.stored - type: long - description: | - The actual number of backtrack change records used by your DB cluster. - - name: backtrack_window.actual - type: long - description: | - The difference between the target backtrack window and the actual backtrack window. - - name: backtrack_window.alert - type: long - description: | - The number of times that the actual backtrack window is smaller than the target backtrack window for a given period of time. - - name: storage_used.backup_retention_period.bytes - type: long - description: | - The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster's backup retention window. - - name: storage_used.snapshot.bytes - type: long - description: | - The total amount of backup storage in bytes consumed by all Aurora snapshots for an Aurora DB cluster outside its backup retention window. - - name: cache_hit_ratio.buffer - type: long - description: | - The percentage of requests that are served by the buffer cache. - - name: cache_hit_ratio.result_set - type: long - description: | - The percentage of requests that are served by the Resultset cache. - - name: engine_uptime.sec - type: long - description: | - The amount of time that the instance has been running, in seconds. - - name: rds_to_aurora_postgresql_replica_lag.sec - type: long - description: | - The amount of lag in seconds when replicating updates from the primary RDS PostgreSQL instance to other nodes in the cluster. - - name: backup_storage_billed_total.bytes - type: long - description: | - The total amount of backup storage in bytes for which you are billed for a given Aurora DB cluster. - - name: aurora_volume_left_total.bytes - type: long - description: | - The remaining available space for the cluster volume, measured in bytes. diff --git a/packages/aws/0.5.4/data_stream/rds/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/rds/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/rds/manifest.yml b/packages/aws/0.5.4/data_stream/rds/manifest.yml deleted file mode 100755 index c920727e99..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS RDS metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS RDS metrics - description: Collect AWS RDS metrics diff --git a/packages/aws/0.5.4/data_stream/rds/sample_event.json b/packages/aws/0.5.4/data_stream/rds/sample_event.json deleted file mode 100755 index 27bfc3c0bf..0000000000 --- a/packages/aws/0.5.4/data_stream/rds/sample_event.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:34.537Z", - "ecs": { - "version": "1.5.0" - }, - "service": { - "type": "aws" - }, - "aws": { - "rds": { - "latency": { - "dml": 0, - "insert": 0, - "update": 0, - "commit": 0, - "ddl": 0, - "delete": 0, - "select": 0.21927814569536422 - }, - "queries": 6.197934021992669, - "aurora_bin_log_replica_lag": 0, - "transactions": { - "blocked": 0, - "active": 0 - }, - "deadlocks": 0, - "login_failures": 0, - "throughput": { - "network": 1.399813358218904, - "insert": 0, - "ddl": 0, - "select": 2.5165408396246853, - "delete": 0, - "commit": 0, - "network_transmit": 0.699906679109452, - "update": 0, - "dml": 0, - "network_receive": 0.699906679109452 - }, - "cpu": { - "total": { - "pct": 0.03 - } - }, - "db_instance": { - "arn": "arn:aws:rds:eu-west-1:428152502467:db:database-1-instance-1-eu-west-1a", - "class": "db.r5.large", - "identifier": "database-1-instance-1-eu-west-1a", - "status": "available" - }, - "cache_hit_ratio.result_set": 0, - "aurora_replica.lag.ms": 19.576, - "free_local_storage.bytes": 32431271936, - "cache_hit_ratio.buffer": 100, - "disk_usage": { - "bin_log.bytes": 0 - }, - "db_instance.identifier": "database-1-instance-1-eu-west-1a", - "freeable_memory.bytes": 4436537344, - "engine_uptime.sec": 10463030, - "database_connections": 0 - } - }, - "cloud": { - "provider": "aws", - "region": "eu-west-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - }, - "availability_zone": "eu-west-1a" - }, - "event": { - "dataset": "aws.rds", - "module": "aws", - "duration": 10777919184 - }, - "metricset": { - "name": "rds", - "period": 60000 - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs deleted file mode 100755 index cac1cae04a..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,29 +0,0 @@ -metricsets: ["s3_daily_storage"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/agent.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/ecs.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/fields.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/fields.yml deleted file mode 100755 index 87519c6a7c..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: BucketName - type: keyword - description: This dimension filters the data you request for the identified bucket only. - - name: StorageType - type: keyword - description: This dimension filters the data that you have stored in a bucket by types of storage. - - name: FilterId - type: keyword - description: This dimension filters metrics configurations that you specify for request metrics on a bucket, for example, a prefix or a tag. - - name: s3_daily_storage - type: group - fields: - - name: bucket.size.bytes - type: long - format: bytes - description: | - The amount of data in bytes stored in a bucket. - - name: number_of_objects - type: long - description: | - The total number of objects stored in a bucket for all storage classes. diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/manifest.yml b/packages/aws/0.5.4/data_stream/s3_daily_storage/manifest.yml deleted file mode 100755 index 89473f0ebb..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS S3 daily storage metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 24h - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS S3 daily storage metrics - description: Collect AWS S3 daily storage metrics diff --git a/packages/aws/0.5.4/data_stream/s3_daily_storage/sample_event.json b/packages/aws/0.5.4/data_stream/s3_daily_storage/sample_event.json deleted file mode 100755 index f3e230ff06..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_daily_storage/sample_event.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "s3": { - "bucket": { - "name": "test-s3-ks-2" - } - }, - "s3_daily_storage": { - "bucket": { - "size": { - "bytes": 207372 - } - }, - "number_of_objects": 128 - } - }, - "event": { - "dataset": "aws.s3_daily_storage", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "s3_daily_storage" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3_request/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/s3_request/agent/stream/stream.yml.hbs deleted file mode 100755 index 6f53aab34d..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,29 +0,0 @@ -metricsets: ["s3_request"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3_request/fields/agent.yml b/packages/aws/0.5.4/data_stream/s3_request/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/s3_request/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/s3_request/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/s3_request/fields/ecs.yml b/packages/aws/0.5.4/data_stream/s3_request/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/s3_request/fields/fields.yml b/packages/aws/0.5.4/data_stream/s3_request/fields/fields.yml deleted file mode 100755 index f78c0d6865..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/fields/fields.yml +++ /dev/null @@ -1,88 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: BucketName - type: keyword - description: This dimension filters the data you request for the identified bucket only. - - name: StorageType - type: keyword - description: This dimension filters the data that you have stored in a bucket by types of storage. - - name: FilterId - type: keyword - description: This dimension filters metrics configurations that you specify for request metrics on a bucket, for example, a prefix or a tag. - - name: s3_request - type: group - fields: - - name: requests.total - type: long - description: | - The total number of HTTP requests made to an Amazon S3 bucket, regardless of type. - - name: requests.get - type: long - description: | - The number of HTTP GET requests made for objects in an Amazon S3 bucket. - - name: requests.put - type: long - description: | - The number of HTTP PUT requests made for objects in an Amazon S3 bucket. - - name: requests.delete - type: long - description: | - The number of HTTP DELETE requests made for objects in an Amazon S3 bucket. - - name: requests.head - type: long - description: | - The number of HTTP HEAD requests made to an Amazon S3 bucket. - - name: requests.post - type: long - description: | - The number of HTTP POST requests made to an Amazon S3 bucket. - - name: requests.select - type: long - description: | - The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket. - - name: requests.select_scanned.bytes - type: long - format: bytes - description: | - The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. - - name: requests.select_returned.bytes - type: long - format: bytes - description: | - The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. - - name: requests.list - type: long - description: | - The number of HTTP requests that list the contents of a bucket. - - name: downloaded.bytes - type: long - format: bytes - description: | - The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body. - - name: uploaded.bytes - type: long - format: bytes - description: | - The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. - - name: errors.4xx - type: long - description: | - The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. - - name: errors.5xx - type: long - description: | - The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. - - name: latency.first_byte.ms - type: long - format: duration - description: | - The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned. - - name: latency.total_request.ms - type: long - format: duration - description: | - The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket. diff --git a/packages/aws/0.5.4/data_stream/s3_request/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/s3_request/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/s3_request/manifest.yml b/packages/aws/0.5.4/data_stream/s3_request/manifest.yml deleted file mode 100755 index 472461c764..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS S3 request metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS S3 request metrics - description: Collect AWS S3 request metrics diff --git a/packages/aws/0.5.4/data_stream/s3_request/sample_event.json b/packages/aws/0.5.4/data_stream/s3_request/sample_event.json deleted file mode 100755 index 3d1822e57c..0000000000 --- a/packages/aws/0.5.4/data_stream/s3_request/sample_event.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "s3": { - "bucket": { - "name": "test-s3-ks-2" - } - }, - "s3_request": { - "downloaded": { - "bytes": 534 - }, - "errors": { - "4xx": 0, - "5xx": 0 - }, - "latency": { - "first_byte.ms": 214, - "total_request.ms": 533 - }, - "requests": { - "list": 2, - "put": 10, - "total": 12 - }, - "uploaded": { - "bytes": 13572 - } - } - }, - "event": { - "dataset": "aws.s3_request", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "s3_request" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3access/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/s3access/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index a2a794f660..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3access/agent/stream/log.yml.hbs b/packages/aws/0.5.4/data_stream/s3access/agent/stream/log.yml.hbs deleted file mode 100755 index 9a5151635e..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/agent/stream/log.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: [".gz$"] \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8e1c140222..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,216 +0,0 @@ ---- -description: "Pipeline for s3 server access logs" - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - set: - field: event.category - value: web - - append: - field: event.type - value: access - - grok: - field: message - patterns: - - >- - %{BASE16NUM:aws.s3access.bucket_owner} %{HOSTNAME:aws.s3access.bucket} \[%{HTTPDATE:_temp_.s3access_time}\] - %{IP:aws.s3access.remote_ip} (?:-|%{S3REQUESTER:aws.s3access.requester}) %{S3REQUESTID:aws.s3access.request_id} - %{S3OPERATION:aws.s3access.operation} (?:-|%{S3KEY:aws.s3access.key}) (?:-|\"%{DATA:aws.s3access.request_uri}\") - %{NUMBER:aws.s3access.http_status:long} (?:-|%{WORD:aws.s3access.error_code}) (?:-|%{NUMBER:aws.s3access.bytes_sent:long}) - (?:-|%{NUMBER:aws.s3access.object_size:long}) (?:-|%{NUMBER:aws.s3access.total_time:long}) (?:-|%{NUMBER:aws.s3access.turn_around_time:long}) - (?:-|\"-\"|\"%{DATA:aws.s3access.referrer}\") (?:-|\"(-|%{DATA:aws.s3access.user_agent})\") (?:-|%{S3KEY:aws.s3access.version_id}) - (?:-|%{S3ID:aws.s3access.host_id}) (?:-|%{S3VERSION:aws.s3access.signature_version}) (?:-|%{S3KEY:aws.s3access.cipher_suite}) - (?:-|%{WORD:aws.s3access.authentication_type}) (?:-|%{S3ID:aws.s3access.host_header}) (?:-|%{S3VERSION:aws.s3access.tls_version}) - pattern_definitions: - S3REQUESTER: "[a-zA-Z0-9\\/_\\.\\-%:@]+" - S3REQUESTID: "[a-zA-Z0-9]+" - S3OPERATION: "%{WORD}.%{WORD}.%{WORD}" - S3KEY: "[a-zA-Z0-9\\/_\\.\\-%+]+" - S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=]+" - S3VERSION: "[a-zA-Z0-9.]+" - - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - - grok: - field: aws.s3access.request_uri - ignore_failure: true - patterns: - - '%{NOTSPACE:http.request.method} %{NOTSPACE:url.original} [hH][tT][tT][pP]/%{NOTSPACE:http.version}' - - # - # Best-effort parse of url.original in the form /path?query" - # - - grok: - field: url.original - ignore_failure: true - patterns: - - '^%{ABS_PATH:url.path}(?:\?%{DATA:url.query})?$' - pattern_definitions: - ABS_PATH: '/[^?]*' - - append: - if: "ctx?.aws?.s3access?.bucket_owner != null" - field: related.user - value: "{{aws.s3access.bucket_owner}}" - - # - # Parse the date included in s3 access logs - # - - date: - field: "_temp_.s3access_time" - target_field: "@timestamp" - ignore_failure: true - formats: - - "dd/MMM/yyyy:H:m:s Z" - - - set: - field: client.ip - value: "{{aws.s3access.remote_ip}}" - ignore_empty_value: true - - - append: - if: "ctx?.aws?.s3access?.remote_ip != null" - field: related.ip - value: "{{aws.s3access.remote_ip}}" - - - set: - field: client.address - value: "{{aws.s3access.remote_ip}}" - ignore_empty_value: true - - - geoip: - if: "ctx?.aws?.s3access?.remote_ip != null" - field: aws.s3access.remote_ip - target_field: geo - - - set: - field: client.user.id - value: "{{aws.s3access.requester}}" - ignore_empty_value: true - - - set: - field: event.id - value: "{{aws.s3access.request_id}}" - ignore_empty_value: true - - - set: - field: event.action - value: "{{aws.s3access.operation}}" - ignore_empty_value: true - - - set: - field: http.response.status_code - value: "{{aws.s3access.http_status}}" - ignore_empty_value: true - - - convert: - if: "ctx?.http?.response?.status_code != null" - field: http.response.status_code - type: long - - - set: - if: "ctx?.aws?.s3access?.error_code != null" - field: event.outcome - value: failure - - - set: - field: event.code - value: "{{aws.s3access.error_code}}" - ignore_empty_value: true - - - set: - if: "ctx?.aws?.s3access?.error_code == null" - field: event.outcome - value: success - - - convert: - field: aws.s3access.bytes_sent - target_field: http.response.body.bytes - type: long - ignore_failure: true - - - convert: - field: aws.s3access.total_time - target_field: event.duration - type: long - ignore_failure: true - - - script: - lang: painless - if: ctx.event?.duration != null - params: - MS_TO_NS: 1000000 - source: >- - ctx.event.duration *= params.MS_TO_NS; - - - set: - field: http.request.referrer - value: "{{aws.s3access.referrer}}" - ignore_empty_value: true - - - user_agent: - if: "ctx?.aws?.s3access?.user_agent != null" - field: aws.s3access.user_agent - - - set: - field: tls.cipher - value: '{{aws.s3access.cipher_suite}}' - ignore_empty_value: true - - - script: - lang: painless - if: ctx.aws?.s3access?.tls_version != null - source: >- - def parts = ctx.aws.s3access.tls_version.toLowerCase().splitOnToken("v"); - if (parts.length != 2) { - return; - } - ctx.tls.version = parts[1]; - ctx.tls.version_protocol = parts[0] - - - set: - field: cloud.provider - value: aws - - - set: - field: event.kind - value: event - - # - # Save original message into event.original - # - - rename: - field: "message" - target_field: "event.original" - - # - # Remove temporary fields - # - - remove: - field: _temp_ - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/s3access/fields/agent.yml b/packages/aws/0.5.4/data_stream/s3access/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/s3access/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/s3access/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/s3access/fields/ecs.yml b/packages/aws/0.5.4/data_stream/s3access/fields/ecs.yml deleted file mode 100755 index 28f92dcf9e..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/fields/ecs.yml +++ /dev/null @@ -1,141 +0,0 @@ -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: client.ip - type: ip - description: IP address of the client. -- name: client.address - type: keyword - description: Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. -- name: client.user.id - type: keyword - description: Unique identifiers of the user. -- name: event.id - type: keyword - description: Unique ID to describe the event. -- name: event.action - type: keyword - description: The action captured by the event. -- name: event.outcome - type: keyword - description: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -- name: event.code - type: keyword - description: Identification code for this event, if one exists. -- name: event.duration - type: long - description: Duration of the event in nanoseconds. -- name: http - title: HTTP - type: group - fields: - - name: request.method - type: keyword - ignore_above: 1024 - description: 'HTTP request method.' - - name: request.referrer - type: keyword - ignore_above: 1024 - description: Referrer for this HTTP request. - - name: response.body.bytes - type: long - format: bytes - description: Size in bytes of the response body. - - name: response.status_code - type: long - description: HTTP response status code. - - name: version - type: keyword - ignore_above: 1024 - description: HTTP version. -- name: url - title: URL - type: group - fields: - - name: original - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Unmodified original url as seen in the event source.' - - name: path - type: keyword - ignore_above: 1024 - description: Path of the request, such as "/search". - - name: query - type: keyword - ignore_above: 1024 - description: 'The query field describes the query string of the request, such as "q=elasticsearch".' -- name: tls.cipher - type: keyword - description: String indicating the cipher used during the current connection. -- name: tls.version - type: keyword - description: Numeric part of the version parsed from the original string. -- name: tls.version_protocol - type: keyword - description: Normalized lowercase protocol name parsed from original string. -- name: cloud.provider - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. -- name: event.kind - type: keyword - description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal) -- name: geo.city_name - type: keyword - description: City name. -- name: geo.country_name - type: keyword - description: Country name. -- name: geo.continent_name - type: keyword - description: Name of the continent. -- name: geo.country_iso_code - type: keyword - description: Country ISO code. -- name: geo.location - type: geo_point - description: Longitude and latitude. -- name: geo.region_iso_code - type: keyword - description: Region ISO code. -- name: geo.region_name - type: keyword - description: Region name. -- name: user_agent.device.name - type: keyword - description: Name of the device. -- name: user_agent.name - type: keyword - description: Name of the user agent. -- name: user_agent.original - type: keyword - description: Unparsed user_agent string. -- name: user_agent.os.full - type: keyword - description: Operating system name, including the version or code name. -- name: user_agent.os.name - type: keyword - description: Operating system name, without the version. -- name: user_agent.os.version - type: keyword - description: Operating system version as a raw string. -- name: user_agent.version - type: keyword - description: Version of the user agent. -- name: ecs.version - type: keyword - description: ECS version this event conforms to. -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. diff --git a/packages/aws/0.5.4/data_stream/s3access/fields/fields.yml b/packages/aws/0.5.4/data_stream/s3access/fields/fields.yml deleted file mode 100755 index e4b8c951d4..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/fields/fields.yml +++ /dev/null @@ -1,95 +0,0 @@ -- name: aws.s3access - type: group - fields: - - name: bucket_owner - type: keyword - description: | - The canonical user ID of the owner of the source bucket. - - name: bucket - type: keyword - description: | - The name of the bucket that the request was processed against. - - name: remote_ip - type: ip - description: | - The apparent internet address of the requester. - - name: requester - type: keyword - description: | - The canonical user ID of the requester, or a - for unauthenticated requests. - - name: request_id - type: keyword - description: | - A string generated by Amazon S3 to uniquely identify each request. - - name: operation - type: keyword - description: | - The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT. - - name: key - type: keyword - description: | - The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter. - - name: request_uri - type: keyword - description: | - The Request-URI part of the HTTP request message. - - name: http_status - type: long - description: | - The numeric HTTP status code of the response. - - name: error_code - type: keyword - description: | - The Amazon S3 Error Code, or "-" if no error occurred. - - name: bytes_sent - type: long - description: | - The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero. - - name: object_size - type: long - description: | - The total size of the object in question. - - name: total_time - type: long - description: | - The number of milliseconds the request was in flight from the server's perspective. - - name: turn_around_time - type: long - description: | - The number of milliseconds that Amazon S3 spent processing your request. - - name: referrer - type: keyword - description: | - The value of the HTTP Referrer header, if present. - - name: user_agent - type: keyword - description: | - The value of the HTTP User-Agent header. - - name: version_id - type: keyword - description: | - The version ID in the request, or "-" if the operation does not take a versionId parameter. - - name: host_id - type: keyword - description: | - The x-amz-id-2 or Amazon S3 extended request ID. - - name: signature_version - type: keyword - description: | - The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests. - - name: cipher_suite - type: keyword - description: | - The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP. - - name: authentication_type - type: keyword - description: | - The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests. - - name: host_header - type: keyword - description: | - The endpoint used to connect to Amazon S3. - - name: tls_version - type: keyword - description: | - The Transport Layer Security (TLS) version negotiated by the client. diff --git a/packages/aws/0.5.4/data_stream/s3access/manifest.yml b/packages/aws/0.5.4/data_stream/s3access/manifest.yml deleted file mode 100755 index 9e93613017..0000000000 --- a/packages/aws/0.5.4/data_stream/s3access/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: AWS s3access logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS s3access logs - description: Collect AWS s3access logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. diff --git a/packages/aws/0.5.4/data_stream/sns/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/sns/agent/stream/stream.yml.hbs deleted file mode 100755 index 6c56e029fb..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["sns"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/sns/fields/agent.yml b/packages/aws/0.5.4/data_stream/sns/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/sns/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/sns/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/sns/fields/ecs.yml b/packages/aws/0.5.4/data_stream/sns/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/sns/fields/fields.yml b/packages/aws/0.5.4/data_stream/sns/fields/fields.yml deleted file mode 100755 index c07522553d..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/fields/fields.yml +++ /dev/null @@ -1,69 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: Application - type: keyword - description: Filters on application objects, which represent an app and device registered with one of the supported push notification services, such as APNs and FCM. - - name: Application,Platform - type: keyword - description: Filters on application and platform objects, where the platform objects are for the supported push notification services, such as APNs and FCM. - - name: Country - type: keyword - description: Filters on the destination country or region of an SMS message. - - name: Platform - type: keyword - description: Filters on platform objects for the push notification services, such as APNs and FCM. - - name: TopicName - type: keyword - description: Filters on Amazon SNS topic names. - - name: SMSType - type: keyword - description: Filters on the message type of SMS message. - - name: sns - type: group - fields: - - name: metrics - type: group - fields: - - name: PublishSize.avg - type: double - description: The size of messages published. - - name: SMSSuccessRate.avg - type: double - description: The rate of successful SMS message deliveries. - - name: NumberOfMessagesPublished.sum - type: long - description: The number of messages published to your Amazon SNS topics. - - name: NumberOfNotificationsDelivered.sum - type: long - description: The number of messages successfully delivered from your Amazon SNS topics to subscribing endpoints. - - name: NumberOfNotificationsFailed.sum - type: long - description: The number of messages that Amazon SNS failed to deliver. - - name: NumberOfNotificationsFilteredOut.sum - type: long - description: The number of messages that were rejected by subscription filter policies. - - name: NumberOfNotificationsFilteredOut-InvalidAttributes.sum - type: long - description: The number of messages that were rejected by subscription filter policies because the messages' attributes are invalid - for example, because the attribute JSON is incorrectly formatted. - - name: NumberOfNotificationsFilteredOut-NoMessageAttributes.sum - type: long - description: The number of messages that were rejected by subscription filter policies because the messages have no attributes. - - name: NumberOfNotificationsRedrivenToDlq.sum - type: long - description: The number of messages that have been moved to a dead-letter queue. - - name: NumberOfNotificationsFailedToRedriveToDlq.sum - type: long - description: The number of messages that couldn't be moved to a dead-letter queue. - - name: SMSMonthToDateSpentUSD.sum - type: long - description: The charges you have accrued since the start of the current calendar month for sending SMS messages. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/sns/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/sns/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/sns/manifest.yml b/packages/aws/0.5.4/data_stream/sns/manifest.yml deleted file mode 100755 index 806a5e416b..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS SNS metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS SNS metrics - description: Collect AWS SNS metrics diff --git a/packages/aws/0.5.4/data_stream/sns/sample_event.json b/packages/aws/0.5.4/data_stream/sns/sample_event.json deleted file mode 100755 index af48ae9aa4..0000000000 --- a/packages/aws/0.5.4/data_stream/sns/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/SNS" - }, - "dimensions": { - "TopicName": "test-sns-ks" - }, - "sns": { - "metrics": { - "NumberOfMessagesPublished": { - "sum": 1 - }, - "NumberOfNotificationsFailed": { - "sum": 1 - }, - "PublishSize": { - "avg": 5 - } - } - }, - "tags": { - "created-by": "ks" - } - }, - "event": { - "dataset": "aws.sns", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "sns" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/sqs/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/sqs/agent/stream/stream.yml.hbs deleted file mode 100755 index 2e9f1a2d15..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,29 +0,0 @@ -metricsets: ["sqs"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/sqs/fields/agent.yml b/packages/aws/0.5.4/data_stream/sqs/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/sqs/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/sqs/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/sqs/fields/ecs.yml b/packages/aws/0.5.4/data_stream/sqs/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/sqs/fields/fields.yml b/packages/aws/0.5.4/data_stream/sqs/fields/fields.yml deleted file mode 100755 index a6f2304201..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/fields/fields.yml +++ /dev/null @@ -1,54 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: QueueName - type: keyword - description: SQS queue name - - name: sqs - type: group - fields: - - name: oldest_message_age.sec - type: long - format: duration - description: | - The approximate age of the oldest non-deleted message in the queue. - - name: messages.delayed - type: long - description: | - TThe number of messages in the queue that are delayed and not available for reading immediately. - - name: messages.not_visible - type: long - description: | - The number of messages that are in flight. - - name: messages.visible - type: long - description: | - The number of messages available for retrieval from the queue. - - name: messages.deleted - type: long - description: | - The number of messages deleted from the queue. - - name: messages.received - type: long - description: | - The number of messages returned by calls to the ReceiveMessage action. - - name: messages.sent - type: long - description: | - The number of messages added to a queue. - - name: empty_receives - type: long - description: | - The number of ReceiveMessage API calls that did not return a message. - - name: sent_message_size.bytes - type: long - format: bytes - description: | - The size of messages added to a queue. - - name: queue.name - type: keyword - description: | - SQS queue name diff --git a/packages/aws/0.5.4/data_stream/sqs/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/sqs/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/sqs/manifest.yml b/packages/aws/0.5.4/data_stream/sqs/manifest.yml deleted file mode 100755 index b1a57a9faf..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS SQS metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 5m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS SQS metrics - description: Collect AWS SQS metrics diff --git a/packages/aws/0.5.4/data_stream/sqs/sample_event.json b/packages/aws/0.5.4/data_stream/sqs/sample_event.json deleted file mode 100755 index 714ab645a4..0000000000 --- a/packages/aws/0.5.4/data_stream/sqs/sample_event.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "sqs": { - "empty_receives": 0, - "messages": { - "delayed": 0, - "deleted": 0, - "not_visible": 0, - "received": 0, - "sent": 0, - "visible": 2 - }, - "oldest_message_age": { - "sec": 78494 - }, - "queue": { - "name": "test-s3-notification" - }, - "sent_message_size": {} - } - }, - "event": { - "dataset": "aws.sqs", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "sqs" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/transitgateway/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/transitgateway/agent/stream/stream.yml.hbs deleted file mode 100755 index b5530f1b2c..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["transitgateway"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/transitgateway/fields/agent.yml b/packages/aws/0.5.4/data_stream/transitgateway/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/transitgateway/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/transitgateway/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/transitgateway/fields/ecs.yml b/packages/aws/0.5.4/data_stream/transitgateway/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/transitgateway/fields/fields.yml b/packages/aws/0.5.4/data_stream/transitgateway/fields/fields.yml deleted file mode 100755 index e89af40940..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/fields/fields.yml +++ /dev/null @@ -1,42 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: TransitGateway - type: keyword - description: Filters the metric data by transit gateway. - - name: TransitGatewayAttachment - type: keyword - description: Filters the metric data by transit gateway attachment. - - name: transitgateway - type: group - fields: - - name: metrics - type: group - fields: - - name: BytesIn.sum - type: long - description: The number of bytes received by the transit gateway. - - name: BytesOut.sum - type: long - description: The number of bytes sent from the transit gateway. - - name: PacketsIn.sum - type: long - description: The number of packets received by the transit gateway. - - name: PacketsOut.sum - type: long - description: The number of packets sent by the transit gateway. - - name: PacketDropCountBlackhole.sum - type: long - description: The number of packets dropped because they matched a blackhole route. - - name: PacketDropCountNoRoute.sum - type: long - description: The number of packets dropped because they did not match a route. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/transitgateway/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/transitgateway/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/transitgateway/manifest.yml b/packages/aws/0.5.4/data_stream/transitgateway/manifest.yml deleted file mode 100755 index 36ed6e401b..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS Transit Gateway metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS Transit Gateway metrics - description: Collect AWS Transit Gateway metrics diff --git a/packages/aws/0.5.4/data_stream/transitgateway/sample_event.json b/packages/aws/0.5.4/data_stream/transitgateway/sample_event.json deleted file mode 100755 index 3f9d5b46ea..0000000000 --- a/packages/aws/0.5.4/data_stream/transitgateway/sample_event.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "@timestamp": "2020-05-28T20:10:20.953Z", - "cloud": { - "provider": "aws", - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "aws": { - "transitgateway": { - "metrics": { - "PacketsIn": { - "sum": 0 - }, - "BytesIn": { - "sum": 0 - }, - "BytesOut": { - "sum": 0 - }, - "PacketsOut": { - "sum": 0 - }, - "PacketDropCountBlackhole": { - "sum": 0 - }, - "PacketDropCountNoRoute": { - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/TransitGateway" - }, - "dimensions": { - "TransitGateway": "tgw-0630672a32f12808a" - } - }, - "ecs": { - "version": "1.5.0" - }, - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - }, - "event": { - "dataset": "aws.transitgateway", - "module": "aws", - "duration": 12762825681 - }, - "metricset": { - "period": 60000, - "name": "transitgateway" - }, - "service": { - "type": "aws" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/usage/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/usage/agent/stream/stream.yml.hbs deleted file mode 100755 index 24c082cd4d..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["usage"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/usage/fields/agent.yml b/packages/aws/0.5.4/data_stream/usage/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/usage/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/usage/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/usage/fields/ecs.yml b/packages/aws/0.5.4/data_stream/usage/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/usage/fields/fields.yml b/packages/aws/0.5.4/data_stream/usage/fields/fields.yml deleted file mode 100755 index 7cd5c5e37b..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/fields/fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: aws - type: group - fields: - - name: dimensions - type: group - fields: - - name: Service - type: keyword - description: The name of the AWS service containing the resource. - - name: Class - type: keyword - description: The class of resource being tracked. - - name: Type - type: keyword - description: The type of resource being tracked. - - name: Resource - type: keyword - description: The name of the API operation. - - name: usage - type: group - fields: - - name: metrics - type: group - fields: - - name: CallCount.sum - type: long - description: The number of specified API operations performed in your account. - - name: ResourceCount.sum - type: long - description: The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/usage/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/usage/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/usage/manifest.yml b/packages/aws/0.5.4/data_stream/usage/manifest.yml deleted file mode 100755 index ca2c781a65..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: AWS usage metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - title: AWS usage metrics - description: Collect AWS usage metrics diff --git a/packages/aws/0.5.4/data_stream/usage/sample_event.json b/packages/aws/0.5.4/data_stream/usage/sample_event.json deleted file mode 100755 index c67701e60f..0000000000 --- a/packages/aws/0.5.4/data_stream/usage/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:30.929Z", - "aws": { - "usage": { - "metrics": { - "CallCount": { - "sum": 1 - } - } - }, - "cloudwatch": { - "namespace": "AWS/Usage" - }, - "dimensions": { - "Type": "API", - "Resource": "GetMetricData", - "Service": "CloudWatch", - "Class": "None" - } - }, - "event": { - "duration": 1191329839, - "dataset": "aws.usage", - "module": "aws" - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-north-1", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "metricset": { - "name": "usage", - "period": 60000 - }, - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs b/packages/aws/0.5.4/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index a2a794f660..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/aws/0.5.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index af758d5f75..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,259 +0,0 @@ ---- -description: Pipeline for AWS VPC Flow Logs - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.9.0' - - set: - field: event.type - value: flow - - set: - field: event.category - value: network_traffic - - drop: - if: "ctx?.message.startsWith('version') || ctx?.message.startsWith('instance-id')" - - script: - lang: painless - if: ctx?.message != null - source: >- - ctx._temp_ = new HashMap(); - ctx._temp_.message_token_count = ctx.message.splitOnToken(" ").length; - - - dissect: - field: message - pattern: "%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status}" - if: ctx?._temp_?.message_token_count == 14 - - dissect: - field: message - pattern: "%{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr}" - if: ctx?._temp_?.message_token_count == 6 - - dissect: - field: message - pattern: "%{aws.vpcflow.version} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.action} %{aws.vpcflow.log_status}" - if: ctx?._temp_?.message_token_count == 17 - - dissect: - field: message - pattern: "%{aws.vpcflow.version} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.type} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.protocol} %{aws.vpcflow.bytes} %{aws.vpcflow.packets} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.log_status}" - if: ctx?._temp_?.message_token_count == 21 - - # Convert Unix epoch to timestamp - - date: - field: "aws.vpcflow.end" - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX - - date: - field: "aws.vpcflow.start" - target_field: "event.start" - ignore_failure: true - formats: - - UNIX - - date: - field: "aws.vpcflow.end" - target_field: "event.end" - ignore_failure: true - formats: - - UNIX - - remove: - field: ["aws.vpcflow.start", "aws.vpcflow.end"] - ignore_missing: true - - - script: - lang: painless - ignore_failure: true - if: ctx?.aws != null - source: >- - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v instanceof String && v == "-"); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx.aws); - - - set: - field: event.outcome - value: allow - if: ctx?.aws?.vpcflow?.action == 'ACCEPT' - - set: - field: event.outcome - value: deny - if: ctx?.aws?.vpcflow?.action == 'REJECT' - - - rename: - field: aws.vpcflow.srcaddr - target_field: source.address - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - convert: - field: aws.vpcflow.srcport - target_field: source.port - type: integer - ignore_missing: true - - rename: - field: aws.vpcflow.dstaddr - target_field: destination.address - ignore_missing: true - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - convert: - field: aws.vpcflow.dstport - target_field: destination.port - type: integer - ignore_missing: true - - rename: - field: aws.vpcflow.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: aws.vpcflow.packets - target_field: source.packets - type: long - ignore_missing: true - - convert: - field: aws.vpcflow.bytes - target_field: source.bytes - type: long - ignore_missing: true - - set: - field: network.bytes - copy_from: source.bytes - if: ctx?.source?.bytes != null - - set: - field: network.packets - copy_from: source.packets - if: ctx?.source?.packets != null - - - set: - field: network.type - value: ipv4 - if: "ctx?.source?.ip != null && ctx?.source?.ip.contains('.')" - - set: - field: network.type - value: ipv6 - if: "ctx?.source?.ip != null && ctx?.source?.ip.contains(':')" - - set: - field: network.transport - value: tcp - if: "ctx?.network?.iana_number == 6" - - set: - field: network.transport - value: udp - if: "ctx?.network?.iana_number == 17" - - - community_id: - target_field: network.community_id - ignore_failure: true - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - rename: - field: message - target_field: event.original - ignore_missing: true - - # Generate related.ip field - - append: - if: ctx.source?.ip != null && ctx.destination?.ip != null - field: related.ip - value: ["{{source.ip}}", "{{destination.ip}}"] - - - set: - field: cloud.provider - value: aws - - - set: - if: "ctx?.aws?.vpcflow?.account_id != null" - field: cloud.account.id - value: "{{aws.vpcflow.account_id}}" - - - set: - if: "ctx?.aws?.vpcflow?.instance_id != null && ctx.aws.vpcflow.instance_id != '-'" - field: cloud.instance.id - value: "{{aws.vpcflow.instance_id}}" - - - set: - field: event.kind - value: event - - - remove: - field: - - _temp_ - - aws.vpcflow.srcaddr - - aws.vpcflow.srcport - - aws.vpcflow.dstaddr - - aws.vpcflow.dstport - - aws.vpcflow.bytes - - aws.vpcflow.packets - - aws.vpcflow.protocol - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/aws/0.5.4/data_stream/vpcflow/fields/agent.yml b/packages/aws/0.5.4/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/vpcflow/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/vpcflow/fields/ecs.yml b/packages/aws/0.5.4/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index d01d2ba53a..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. diff --git a/packages/aws/0.5.4/data_stream/vpcflow/fields/fields.yml b/packages/aws/0.5.4/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index 596c35c8e0..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,189 +0,0 @@ -- name: aws.vpcflow - type: group - fields: - - name: version - type: keyword - description: | - The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. - - name: account_id - type: keyword - description: | - The AWS account ID for the flow log. - - name: interface_id - type: keyword - description: | - The ID of the network interface for which the traffic is recorded. - - name: action - type: keyword - description: | - The action that is associated with the traffic, ACCEPT or REJECT. - - name: log_status - type: keyword - description: | - The logging status of the flow log, OK, NODATA or SKIPDATA. - - name: instance_id - type: keyword - description: | - The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. - - name: pkt_srcaddr - type: ip - description: | - The packet-level (original) source IP address of the traffic. - - name: pkt_dstaddr - type: ip - description: | - The packet-level (original) destination IP address for the traffic. - - name: vpc_id - type: keyword - description: | - The ID of the VPC that contains the network interface for which the traffic is recorded. - - name: subnet_id - type: keyword - description: | - The ID of the subnet that contains the network interface for which the traffic is recorded. - - name: tcp_flags - type: keyword - description: | - The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST - - name: type - type: keyword - description: | - The type of traffic: IPv4, IPv6, or EFA. -- name: event.start - type: date - description: event.start contains the date when the event started or when the activity was first observed. -- name: event.end - type: date - description: event.end contains the date when the event ended or when the activity was last observed. -- name: destination.geo.continent_name - type: keyword - description: Name of the continent. -- name: destination.geo.country_name - type: keyword - description: Name of the country. -- name: destination.geo.country_iso_code - type: keyword - description: Country ISO code. -- name: destination.geo.city_name - type: keyword - description: Name of the city. -- name: destination.geo.region_iso_code - type: keyword - description: Region ISO code. -- name: destination.geo.region_name - type: keyword - description: Name of the region. -- name: destination.geo.location - type: geo_point - description: Longitude and latitude. -- name: destination.ip - type: ip - description: IP address of the destination. -- name: destination.address - type: keyword - description: Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. -- name: destination.port - type: long - description: Port of the destination. -- name: event.category - type: keyword - description: Event category (e.g. database) -- name: event.outcome - type: keyword - description: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -- name: event.type - type: keyword - description: Event severity (e.g. info, error) -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: destination.as.number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -- name: destination.as.organization.name - type: keyword - description: Organization name. -- name: event.original - type: keyword - description: Raw text message of entire event. Used to demonstrate log integrity. -- name: cloud.account.id - type: keyword - description: The cloud account or organization id used to identify different entities in a multi-tenant environment. -- name: cloud.instance.id - type: keyword - description: Instance ID of the host machine. -- name: cloud.provider - type: keyword - description: Name of the cloud provider. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: event.kind - type: keyword - description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal) -- name: cloud.account.id - type: keyword - description: The cloud account or organization id used to identify different entities in a multi-tenant environment. -- name: network.bytes - type: long - description: Total bytes transferred in both directions. -- name: network.community_id - type: keyword - description: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -- name: network.iana_number - type: keyword - description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. -- name: network.packets - type: long - description: Total packets transferred in both directions. -- name: network.transport - type: keyword - description: Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -- name: network.type - type: keyword - description: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -- name: source.address - type: keyword - description: Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.bytes - type: long - description: Bytes sent from the source to the destination. -- name: source.geo.city_name - type: keyword - description: City name. -- name: source.geo.continent_name - type: keyword - description: Name of the continent. -- name: source.geo.country_name - type: keyword - description: Name of the country. -- name: source.geo.country_iso_code - type: keyword - description: Country ISO code. -- name: source.geo.location - type: geo_point - description: Longitude and latitude. -- name: source.geo.region_iso_code - type: keyword - description: Region ISO code. -- name: source.geo.region_name - type: keyword - description: Region name. -- name: source.ip - type: ip - description: IP address of the source (IPv4 or IPv6). -- name: source.packets - type: long - description: Packets sent from the source to the destination. -- name: source.port - type: long - description: Port of the source. diff --git a/packages/aws/0.5.4/data_stream/vpcflow/manifest.yml b/packages/aws/0.5.4/data_stream/vpcflow/manifest.yml deleted file mode 100755 index dff6b3c483..0000000000 --- a/packages/aws/0.5.4/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: AWS vpcflow logs -release: beta -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: AWS vpcflow logs - description: Collect AWS vpcflow logs using s3 input - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. diff --git a/packages/aws/0.5.4/data_stream/vpn/agent/stream/stream.yml.hbs b/packages/aws/0.5.4/data_stream/vpn/agent/stream/stream.yml.hbs deleted file mode 100755 index a22a1d98e0..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -metricsets: ["vpn"] -period: {{period}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if regions}} -regions: -{{#each regions as |region i|}} -- {{region}} -{{/each}} -{{/if}} -{{#if latency}} -latency: {{latency}} -{{/if}} -{{#if tags_filter}} -tags_filter: {{tags_filter}} -{{/if}} \ No newline at end of file diff --git a/packages/aws/0.5.4/data_stream/vpn/fields/agent.yml b/packages/aws/0.5.4/data_stream/vpn/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/aws/0.5.4/data_stream/vpn/fields/base-fields.yml b/packages/aws/0.5.4/data_stream/vpn/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/aws/0.5.4/data_stream/vpn/fields/ecs.yml b/packages/aws/0.5.4/data_stream/vpn/fields/ecs.yml deleted file mode 100755 index 745baefadc..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/fields/ecs.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - type: group - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - fields: - - name: account.id - level: extended - type: keyword - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - ignore_above: 1024 - - name: account.name - level: extended - type: keyword - description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - ignore_above: 1024 - - name: availability_zone - level: extended - type: keyword - description: Availability zone in which this host is running. - ignore_above: 1024 - - name: instance.id - level: extended - type: keyword - description: Instance ID of the host machine. - ignore_above: 1024 - - name: machine.type - level: extended - type: keyword - description: Machine type of the host machine. - ignore_above: 1024 - - name: provider - level: extended - type: keyword - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - ignore_above: 1024 - - name: region - level: extended - type: keyword - description: Region in which this host is running. - ignore_above: 1024 -- name: ecs.version - type: keyword - description: ECS version this event conforms to. - example: 1.0.0 - ignore_above: 1024 -- name: error - type: group - fields: - - name: message - level: core - type: text - description: Error message. -- name: service.type - type: keyword - description: Service type diff --git a/packages/aws/0.5.4/data_stream/vpn/fields/fields.yml b/packages/aws/0.5.4/data_stream/vpn/fields/fields.yml deleted file mode 100755 index 5a5ff461f0..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/fields/fields.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: aws - type: group - fields: - - name: vpn - type: group - fields: - - name: metrics - type: group - fields: - - name: TunnelState.avg - type: double - description: The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. - - name: TunnelDataIn.sum - type: double - description: The bytes received through the VPN tunnel. - - name: TunnelDataOut.sum - type: double - description: The bytes sent through the VPN tunnel. - - name: dimensions - type: group - fields: - - name: VpnId - type: keyword - description: Filters the metric data by the Site-to-Site VPN connection ID. - - name: TunnelIpAddress - type: keyword - description: Filters the metric data by the IP address of the tunnel for the virtual private gateway. - - name: cloudwatch - type: group - fields: - - name: namespace - type: keyword - description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/0.5.4/data_stream/vpn/fields/package-fields.yml b/packages/aws/0.5.4/data_stream/vpn/fields/package-fields.yml deleted file mode 100755 index a8a7ee8dcc..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/fields/package-fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: aws - type: group - fields: - - name: tags.* - type: object - description: | - Tag key value pairs from aws resources. - - name: s3.bucket.name - type: keyword - description: | - Name of a S3 bucket. - - name: dimensions.* - type: object - description: | - Metric dimensions. - - name: '*.metrics.*.*' - type: object - description: | - Metrics that returned from Cloudwatch API query. diff --git a/packages/aws/0.5.4/data_stream/vpn/manifest.yml b/packages/aws/0.5.4/data_stream/vpn/manifest.yml deleted file mode 100755 index 7daa957da1..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: AWS VPN metrics -release: beta -type: metrics -streams: - - input: aws/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: regions - type: text - title: Regions - multi: true - required: false - show_user: true - - name: latency - type: text - title: Latency - multi: false - required: false - show_user: false - - name: tags_filter - type: yaml - title: Tags Filter - multi: false - required: false - show_user: false - default: | - # - key: "created-by" - # value: "foo" - title: AWS VPN metrics - description: Collect AWS VPN metrics diff --git a/packages/aws/0.5.4/data_stream/vpn/sample_event.json b/packages/aws/0.5.4/data_stream/vpn/sample_event.json deleted file mode 100755 index a5f331f9c5..0000000000 --- a/packages/aws/0.5.4/data_stream/vpn/sample_event.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "vpn": { - "metrics": { - "TunnelState": { - "avg": 0 - }, - "TunnelDataIn": { - "sum": 0 - }, - "TunnelDataOut": { - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/VPN" - } - }, - "event": { - "dataset": "aws.vpn", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "vpn" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} \ No newline at end of file diff --git a/packages/aws/0.5.4/docs/README.md b/packages/aws/0.5.4/docs/README.md deleted file mode 100755 index b97176e623..0000000000 --- a/packages/aws/0.5.4/docs/README.md +++ /dev/null @@ -1,2866 +0,0 @@ -# AWS Integration - -This integration is used to fetches logs and metrics from -[Amazon Web Services](https://aws.amazon.com/). - -## AWS Credentials -AWS credentials are required for running AWS integration. - -### Configuration parameters -* *access_key_id*: first part of access key. -* *secret_access_key*: second part of access key. -* *session_token*: required when using temporary security credentials. -* *credential_profile_name*: profile name in shared credentials file. -* *shared_credential_file*: directory of the shared credentials file. -* *endpoint*: URL of the entry point for an AWS web service. -* *role_arn*: AWS IAM Role to assume. - -### Credential Types -There are three types of AWS credentials can be used: access keys, temporary -security credentials and IAM role ARN. - -#### Access keys - -`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. -They are long-term credentials for an IAM user, or the AWS account root user. -Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) -for more details. - -#### Temporary security credentials - -Temporary security credentials has a limited lifetime and consists of an -access key ID, a secret access key, and a security token which typically returned -from `GetSessionToken`. MFA-enabled IAM users would need to submit an MFA code -while calling `GetSessionToken`. `default_region` identifies the AWS Region -whose servers you want to send your first API request to by default. This is -typically the Region closest to you, but it can be any Region. Please see -[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -for more details. - -`sts get-session-token` AWS CLI can be used to generate temporary credentials. -For example. with MFA-enabled: -```js -aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 -``` - -Because temporary security credentials are short term, after they expire, the -user needs to generate new ones and manually update the package configuration in -order to continue collecting `aws` metrics. This will cause data loss if the -configuration is not updated with new credentials before the old ones expire. - -#### IAM role ARN - -An IAM role is an IAM identity that you can create in your account that has -specific permissions that determine what the identity can and cannot do in AWS. -A role does not have standard long-term credentials such as a password or access -keys associated with it. Instead, when you assume a role, it provides you with -temporary security credentials for your role session. IAM role Amazon Resource -Name (ARN) can be used to specify which AWS IAM role to assume to generate -temporary credentials. Please see -[AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) -for more details. - -### Supported Formats -1. Use `access_key_id`, `secret_access_key` and/or `session_token` directly -2. Use `role_arn`: If `access_key_id` and `secret_access_key` are not given, -then the package will check for `role_arn`. `role_arn` is used to specify which - AWS IAM role to assume for generating temporary credentials. -3. Use `credential_profile_name` and/or `shared_credential_file`: -If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then -the package will check for `credential_profile_name`. If you use different -credentials for different tools or applications, you can use profiles to -configure multiple access keys in the same configuration file. If there is -no `credential_profile_name` given, the default profile will be used. -`shared_credential_file` is optional to specify the directory of your shared -credentials file. If it's empty, the default directory will be used. -In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. -For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. Please see -[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) -for more details. - -## AWS Permissions -Specific AWS permissions are required for the IAM user to make specific AWS API calls. -In order to enable AWS integration, please make sure these permissions are given: - -* ec2:DescribeInstances -* ec2:DescribeRegions -* cloudwatch:GetMetricData -* cloudwatch:ListMetrics -* tag:getResources -* sns:ListTopics -* sqs:ListQueues -* sts:GetCallerIdentity -* iam:ListAccountAliases - -## Logs - -### cloudtrail - -The `cloudtrail` dataset collects the AWS CloudTrail logs. CloudTrail monitors -events for the account. If user creates a trail, it delivers those events as log - files to a specific Amazon S3 bucket. The `cloudtrail` dataset does not read - the CloudTrail Digest files that are delivered to the S3 bucket when Log File - Integrity is turned on, it only reads the CloudTrail logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.cloudtrail.additional_eventdata | Additional data about the event that was not part of the request or response. | keyword | -| aws.cloudtrail.api_version | Identifies the API version associated with the AwsApiCall eventType value. | keyword | -| aws.cloudtrail.console_login.additional_eventdata.login_to | URL for ConsoleLogin | keyword | -| aws.cloudtrail.console_login.additional_eventdata.mfa_used | Identifies whether multi factor authentication was used during ConsoleLogin | boolean | -| aws.cloudtrail.console_login.additional_eventdata.mobile_version | Identifies whether ConsoleLogin was from mobile version | boolean | -| aws.cloudtrail.error_code | The AWS service error if the request returns an error. | keyword | -| aws.cloudtrail.error_message | If the request returns an error, the description of the error. | keyword | -| aws.cloudtrail.event_category | The CloudTrail event category. | keyword | -| aws.cloudtrail.event_type | Identifies the type of event that generated the event record. | keyword | -| aws.cloudtrail.event_version | The CloudTrail version of the log event format. | keyword | -| aws.cloudtrail.flattened.additional_eventdata | Additional data about the event that was not part of the request or response. | flattened | -| aws.cloudtrail.flattened.digest | Additional digest information. | flattened | -| aws.cloudtrail.flattened.insight_details | Additional insight details. | flattened | -| aws.cloudtrail.flattened.request_parameters | The parameters, if any, that were sent with the request. | flattened | -| aws.cloudtrail.flattened.response_elements | The response element for actions that make changes (create, update, or delete actions). | flattened | -| aws.cloudtrail.flattened.service_event_details | Identifies the service event, including what triggered the event and the result. | flattened | -| aws.cloudtrail.management_event | A Boolean value that identifies whether the event is a management event. | keyword | -| aws.cloudtrail.read_only | Identifies whether this operation is a read-only operation. | boolean | -| aws.cloudtrail.recipient_account_id | Represents the account ID that received this event. | keyword | -| aws.cloudtrail.request_id | The value that identifies the request. The service being called generates this value. | keyword | -| aws.cloudtrail.request_parameters | The parameters, if any, that were sent with the request. | keyword | -| aws.cloudtrail.resources.account_id | Account ID of the resource owner | keyword | -| aws.cloudtrail.resources.arn | Resource ARNs | keyword | -| aws.cloudtrail.resources.type | Resource type identifier in the format: AWS::aws-service-name::data-type-name | keyword | -| aws.cloudtrail.response_elements | The response element for actions that make changes (create, update, or delete actions). | keyword | -| aws.cloudtrail.service_event_details | Identifies the service event, including what triggered the event and the result. | keyword | -| aws.cloudtrail.shared_event_id | GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. | keyword | -| aws.cloudtrail.user_identity.access_key_id | The access key ID that was used to sign the request. | keyword | -| aws.cloudtrail.user_identity.arn | The Amazon Resource Name (ARN) of the principal that made the call. | keyword | -| aws.cloudtrail.user_identity.invoked_by | The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. | keyword | -| aws.cloudtrail.user_identity.session_context.creation_date | The date and time when the temporary security credentials were issued. | date | -| aws.cloudtrail.user_identity.session_context.mfa_authenticated | The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false. | keyword | -| aws.cloudtrail.user_identity.session_context.session_issuer.account_id | The account that owns the entity that was used to get credentials. | keyword | -| aws.cloudtrail.user_identity.session_context.session_issuer.arn | The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. | keyword | -| aws.cloudtrail.user_identity.session_context.session_issuer.principal_id | The internal ID of the entity that was used to get credentials. | keyword | -| aws.cloudtrail.user_identity.session_context.session_issuer.type | The source of the temporary security credentials, such as Root, IAMUser, or Role. | keyword | -| aws.cloudtrail.user_identity.type | The type of the identity | keyword | -| aws.cloudtrail.vpc_endpoint_id | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | Event kind (e.g. event, alert, metric, state, pipeline_error, signal) | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword | -| event.provider | Source of the event. | keyword | -| event.type | Event severity (e.g. info, error) | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| related.hash | All the hashes seen on your event. | keyword | -| related.user | All the user names seen on your event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| user.changes.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### cloudwatch - -The `cloudwatch` dataset collects CloudWatch logs. Users can use Amazon -CloudWatch logs to monitor, store, and access log files from different sources. -Export logs from log groups to an Amazon S3 bucket which has SQS notification -setup already. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.cloudwatch.message | CloudWatch log message. | text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | - - -### ec2 - -The `ec2` dataset is specifically for EC2 logs stored in AWS CloudWatch. Export logs -from log groups to Amazon S3 bucket which has SQS notification setup already. -With this dataset, EC2 logs will be parsed into fields like `ip_address` -and `process.name`. For logs from other services, please use `cloudwatch` dataset. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.ec2.ip_address | The internet address of the requester. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.name | Process name. | keyword | - - -### elb - -The `elb` dataset collects logs from AWS ELBs. Elastic Load Balancing provides -access logs that capture detailed information about requests sent to the load -balancer. Each log contains information such as the time the request was -received, the client's IP address, latencies, request paths, and server -responses. Users can use these access logs to analyze traffic patterns and to -troubleshoot issues. - -Please follow [enable access logs for classic load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html) -for sending Classic ELB access logs to S3 bucket. -For application load balancer, please follow [enable access log for application load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging). -For network load balancer, please follow [enable access log for network load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest//network/load-balancer-access-logs.html). - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.elb.action_executed | The action executed when processing the request (forward, fixed-response, authenticate...). It can contain several values. | keyword | -| aws.elb.backend.http.response.status_code | The status code from the backend (status code sent to the client from ELB is stored in `http.response.status_code` | long | -| aws.elb.backend.ip | The IP address of the backend processing this connection. | keyword | -| aws.elb.backend.port | The port in the backend processing this connection. | keyword | -| aws.elb.backend_processing_time.sec | The total time in seconds since the connection is sent to the backend till the backend starts responding. | float | -| aws.elb.chosen_cert.arn | The ARN of the chosen certificate presented to the client in TLS/SSL connections. | keyword | -| aws.elb.chosen_cert.serial | The serial number of the chosen certificate presented to the client in TLS/SSL connections. | keyword | -| aws.elb.classification | The classification for desync mitigation. | keyword | -| aws.elb.classification_reason | The classification reason code. | keyword | -| aws.elb.connection_time.ms | The total time of the connection in milliseconds, since it is opened till it is closed. | long | -| aws.elb.error.reason | The error reason if the executed action failed. | keyword | -| aws.elb.incoming_tls_alert | The integer value of TLS alerts received by the load balancer from the client, if present. | keyword | -| aws.elb.listener | The ELB listener that received the connection. | keyword | -| aws.elb.matched_rule_priority | The priority value of the rule that matched the request, if a rule matched. | keyword | -| aws.elb.name | The name of the load balancer. | keyword | -| aws.elb.protocol | The protocol of the load balancer (http or tcp). | keyword | -| aws.elb.redirect_url | The URL used if a redirection action was executed. | keyword | -| aws.elb.request_processing_time.sec | The total time in seconds since the connection or request is received until it is sent to a registered backend. | float | -| aws.elb.response_processing_time.sec | The total time in seconds since the response is received from the backend till it is sent to the client. | float | -| aws.elb.ssl_cipher | The SSL cipher used in TLS/SSL connections. | keyword | -| aws.elb.ssl_protocol | The SSL protocol used in TLS/SSL connections. | keyword | -| aws.elb.target_group.arn | The ARN of the target group handling the request. | keyword | -| aws.elb.target_port | List of IP addresses and ports for the targets that processed this request. | keyword | -| aws.elb.target_status_code | List of status codes from the responses of the targets. | keyword | -| aws.elb.tls_handshake_time.ms | The total time for the TLS handshake to complete in milliseconds once the connection has been established. | long | -| aws.elb.tls_named_group | The TLS named group. | keyword | -| aws.elb.trace_id | The contents of the `X-Amzn-Trace-Id` header. | keyword | -| aws.elb.type | The type of the load balancer for v2 Load Balancers. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| event.category | Event category (e.g. database) | keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | Event kind (e.g. event, alert, metric, state, pipeline_error, sig | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | keyword | -| tracing.trace.id | Unique identifier of the trace. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | - - -### s3access - -The `s3access` dataset collects server access logs from AWS S3. Server access -logging provides detailed records for the requests that are made to a bucket. -Server access logs are useful for many applications. For example, access log -information can be useful in security and access audits. It can also help users -to learn about customer base and understand Amazon S3 bill. - -Please follow [how to enable server access logging](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview) -for sending server access logs to S3 bucket. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.s3access.authentication_type | The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests. | keyword | -| aws.s3access.bucket | The name of the bucket that the request was processed against. | keyword | -| aws.s3access.bucket_owner | The canonical user ID of the owner of the source bucket. | keyword | -| aws.s3access.bytes_sent | The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero. | long | -| aws.s3access.cipher_suite | The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP. | keyword | -| aws.s3access.error_code | The Amazon S3 Error Code, or "-" if no error occurred. | keyword | -| aws.s3access.host_header | The endpoint used to connect to Amazon S3. | keyword | -| aws.s3access.host_id | The x-amz-id-2 or Amazon S3 extended request ID. | keyword | -| aws.s3access.http_status | The numeric HTTP status code of the response. | long | -| aws.s3access.key | The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter. | keyword | -| aws.s3access.object_size | The total size of the object in question. | long | -| aws.s3access.operation | The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT. | keyword | -| aws.s3access.referrer | The value of the HTTP Referrer header, if present. | keyword | -| aws.s3access.remote_ip | The apparent internet address of the requester. | ip | -| aws.s3access.request_id | A string generated by Amazon S3 to uniquely identify each request. | keyword | -| aws.s3access.request_uri | The Request-URI part of the HTTP request message. | keyword | -| aws.s3access.requester | The canonical user ID of the requester, or a - for unauthenticated requests. | keyword | -| aws.s3access.signature_version | The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests. | keyword | -| aws.s3access.tls_version | The Transport Layer Security (TLS) version negotiated by the client. | keyword | -| aws.s3access.total_time | The number of milliseconds the request was in flight from the server's perspective. | long | -| aws.s3access.turn_around_time | The number of milliseconds that Amazon S3 spent processing your request. | long | -| aws.s3access.user_agent | The value of the HTTP User-Agent header. | keyword | -| aws.s3access.version_id | The version ID in the request, or "-" if the operation does not take a versionId parameter. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. | keyword | -| client.ip | IP address of the client. | ip | -| client.user.id | Unique identifiers of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.duration | Duration of the event in nanoseconds. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | Event kind (e.g. event, alert, metric, state, pipeline_error, signal) | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.original | Unmodified original url as seen in the event source. | keyword | -| url.path | Path of the request, such as "/search". | keyword | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### vpcflow - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.vpcflow.account_id | The AWS account ID for the flow log. | keyword | -| aws.vpcflow.action | The action that is associated with the traffic, ACCEPT or REJECT. | keyword | -| aws.vpcflow.instance_id | The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. | keyword | -| aws.vpcflow.interface_id | The ID of the network interface for which the traffic is recorded. | keyword | -| aws.vpcflow.log_status | The logging status of the flow log, OK, NODATA or SKIPDATA. | keyword | -| aws.vpcflow.pkt_dstaddr | The packet-level (original) destination IP address for the traffic. | ip | -| aws.vpcflow.pkt_srcaddr | The packet-level (original) source IP address of the traffic. | ip | -| aws.vpcflow.subnet_id | The ID of the subnet that contains the network interface for which the traffic is recorded. | keyword | -| aws.vpcflow.tcp_flags | The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST | keyword | -| aws.vpcflow.type | The type of traffic: IPv4, IPv6, or EFA. | keyword | -| aws.vpcflow.version | The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. | keyword | -| aws.vpcflow.vpc_id | The ID of the VPC that contains the network interface for which the traffic is recorded. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.geo.city_name | Name of the city. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Name of the country. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Name of the region. | keyword | -| destination.ip | IP address of the destination. | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| event.category | Event category (e.g. database) | keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | Event kind (e.g. event, alert, metric, state, pipeline_error, signal) | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | Event severity (e.g. info, error) | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| network.bytes | Total bytes transferred in both directions. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Name of the country. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | - - -## Metrics - -### billing - -An example event for `billing` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:17:06.212Z", - "cloud": { - "provider": "aws", - "region": "us-east-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "event": { - "dataset": "aws.billing", - "module": "aws", - "duration": 1938760247 - }, - "metricset": { - "name": "billing", - "period": 43200000 - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "billing": { - "metrics": { - "EstimatedCharges": { - "max": 1625.41 - } - } - }, - "cloudwatch": { - "namespace": "AWS/Billing" - }, - "dimensions": { - "Currency": "USD" - } - }, - "service": { - "type": "aws" - }, - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.billing.AmortizedCost.amount | Amortized cost amount. | double | -| aws.billing.AmortizedCost.unit | Amortized cost unit. | keyword | -| aws.billing.BlendedCost.amount | Blended cost amount. | double | -| aws.billing.BlendedCost.unit | Blended cost unit. | keyword | -| aws.billing.Currency | Currency name. | keyword | -| aws.billing.EstimatedCharges.max | Maximum estimated charges for AWS acccount. | long | -| aws.billing.NormalizedUsageAmount.amount | Normalized usage amount. | double | -| aws.billing.NormalizedUsageAmount.unit | Normalized usage amount unit. | keyword | -| aws.billing.ServiceName | AWS service name. | keyword | -| aws.billing.UnblendedCost.amount | Unblended cost amount. | double | -| aws.billing.UnblendedCost.unit | Unblended cost unit. | keyword | -| aws.billing.UsageQuantity.amount | Usage quantity amount. | double | -| aws.billing.UsageQuantity.unit | Usage quantity unit. | keyword | -| aws.billing.end_date | End date for retrieving AWS costs. | keyword | -| aws.billing.group_by | Cost explorer group by key values. | object | -| aws.billing.group_definition.key | The string that represents a key for a specified group. | keyword | -| aws.billing.group_definition.type | The string that represents the type of group. | keyword | -| aws.billing.start_date | Start date for retrieving AWS costs. | keyword | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### cloudwatch - -An example event for `cloudwatch` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:17:02.812Z", - "event": { - "duration": 14119105951, - "dataset": "aws.cloudwatch", - "module": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "service": { - "type": "aws" - }, - "cloud": { - "provider": "aws", - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "aws": { - "dimensions": { - "InstanceId": "i-0830bfecfa7173cbe" - }, - "ec2": { - "metrics": { - "DiskWriteOps": { - "avg": 0, - "max": 0 - }, - "CPUUtilization": { - "avg": 0.7661943132361363, - "max": 0.833333333333333 - } - } - }, - "cloudwatch": { - "namespace": "AWS/EC2" - } - }, - "metricset": { - "period": 300000, - "name": "cloudwatch" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### dynamodb - -An example event for `dynamodb` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:17:08.666Z", - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "event": { - "dataset": "aws.dynamodb", - "module": "aws", - "duration": 10266182336 - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws", - "region": "eu-central-1" - }, - "aws": { - "dimensions": { - "TableName": "TryDaxTable3" - }, - "dynamodb": { - "metrics": { - "ProvisionedWriteCapacityUnits": { - "avg": 1 - }, - "ProvisionedReadCapacityUnits": { - "avg": 1 - }, - "ConsumedWriteCapacityUnits": { - "avg": 0, - "sum": 0 - }, - "ConsumedReadCapacityUnits": { - "avg": 0, - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/DynamoDB" - } - }, - "metricset": { - "name": "dynamodb", - "period": 300000 - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dynamodb.metrics.AccountMaxReads.max | The maximum number of read capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes. | long | -| aws.dynamodb.metrics.AccountMaxTableLevelReads.max | The maximum number of read capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum read request units a table or a global secondary index can use. | long | -| aws.dynamodb.metrics.AccountMaxTableLevelWrites.max | The maximum number of write capacity units that can be used by a table or global secondary index of an account. For on-demand tables this limit caps the maximum write request units a table or a global secondary index can use. | long | -| aws.dynamodb.metrics.AccountMaxWrites.max | The maximum number of write capacity units that can be used by an account. This limit does not apply to on-demand tables or global secondary indexes. | long | -| aws.dynamodb.metrics.AccountProvisionedReadCapacityUtilization.avg | The average percentage of provisioned read capacity units utilized by the account. | double | -| aws.dynamodb.metrics.AccountProvisionedWriteCapacityUtilization.avg | The average percentage of provisioned write capacity units utilized by the account. | double | -| aws.dynamodb.metrics.ConditionalCheckFailedRequests.sum | The number of failed attempts to perform conditional writes. | long | -| aws.dynamodb.metrics.ConsumedReadCapacityUnits.avg | | double | -| aws.dynamodb.metrics.ConsumedReadCapacityUnits.sum | | long | -| aws.dynamodb.metrics.ConsumedWriteCapacityUnits.avg | | double | -| aws.dynamodb.metrics.ConsumedWriteCapacityUnits.sum | | long | -| aws.dynamodb.metrics.MaxProvisionedTableReadCapacityUtilization.max | The percentage of provisioned read capacity units utilized by the highest provisioned read table or global secondary index of an account. | double | -| aws.dynamodb.metrics.MaxProvisionedTableWriteCapacityUtilization.max | The percentage of provisioned write capacity utilized by the highest provisioned write table or global secondary index of an account. | double | -| aws.dynamodb.metrics.OnlineIndexPercentageProgress.avg | The percentage of completion when a new global secondary index is being added to a table. | double | -| aws.dynamodb.metrics.PendingReplicationCount.sum | The number of item updates that are written to one replica table, but that have not yet been written to another replica in the global table. | long | -| aws.dynamodb.metrics.ProvisionedReadCapacityUnits.avg | The number of provisioned read capacity units for a table or a global secondary index. | double | -| aws.dynamodb.metrics.ProvisionedWriteCapacityUnits.avg | The number of provisioned write capacity units for a table or a global secondary index. | double | -| aws.dynamodb.metrics.ReadThrottleEvents.sum | Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index. | long | -| aws.dynamodb.metrics.ReplicationLatency.avg | | double | -| aws.dynamodb.metrics.ReplicationLatency.max | | double | -| aws.dynamodb.metrics.SuccessfulRequestLatency.avg | | double | -| aws.dynamodb.metrics.SuccessfulRequestLatency.max | | double | -| aws.dynamodb.metrics.SystemErrors.sum | The requests to DynamoDB or Amazon DynamoDB Streams that generate an HTTP 500 status code during the specified time period. | long | -| aws.dynamodb.metrics.ThrottledRequests.sum | Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index). | long | -| aws.dynamodb.metrics.TransactionConflict.avg | | double | -| aws.dynamodb.metrics.TransactionConflict.sum | | long | -| aws.dynamodb.metrics.WriteThrottleEvents.sum | Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index. | long | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### ebs - -An example event for `ebs` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:57:22.450Z", - "service": { - "type": "aws" - }, - "aws": { - "ebs": { - "metrics": { - "VolumeReadOps": { - "avg": 0 - }, - "VolumeQueueLength": { - "avg": 0.0000666666666666667 - }, - "VolumeWriteOps": { - "avg": 29 - }, - "VolumeTotalWriteTime": { - "sum": 0.02 - }, - "BurstBalance": { - "avg": 100 - }, - "VolumeWriteBytes": { - "avg": 14406.620689655172 - }, - "VolumeIdleTime": { - "sum": 299.98 - } - } - }, - "cloudwatch": { - "namespace": "AWS/EBS" - }, - "dimensions": { - "VolumeId": "vol-03370a204cc8b0a2f" - } - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "event": { - "dataset": "aws.ebs", - "module": "aws", - "duration": 10488314037 - }, - "metricset": { - "period": 300000, - "name": "ebs" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.VolumeId | Amazon EBS volume ID | keyword | -| aws.ebs.metrics.BurstBalance.avg | Used with General Purpose SSD (gp2), Throughput Optimized HDD (st1), and Cold HDD (sc1) volumes only. Provides information about the percentage of I/O credits (for gp2) or throughput credits (for st1 and sc1) remaining in the burst bucket. | double | -| aws.ebs.metrics.VolumeConsumedReadWriteOps.avg | The total amount of read and write operations (normalized to 256K capacity units) consumed in a specified period of time. Used with Provisioned IOPS SSD volumes only. | double | -| aws.ebs.metrics.VolumeIdleTime.sum | The total number of seconds in a specified period of time when no read or write operations were submitted. | double | -| aws.ebs.metrics.VolumeQueueLength.avg | The number of read and write operation requests waiting to be completed in a specified period of time. | double | -| aws.ebs.metrics.VolumeReadBytes.avg | Average size of each read operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period. | double | -| aws.ebs.metrics.VolumeReadOps.avg | The total number of read operations in a specified period of time. | double | -| aws.ebs.metrics.VolumeThroughputPercentage.avg | The percentage of I/O operations per second (IOPS) delivered of the total IOPS provisioned for an Amazon EBS volume. Used with Provisioned IOPS SSD volumes only. | double | -| aws.ebs.metrics.VolumeTotalReadTime.sum | The total number of seconds spent by all read operations that completed in a specified period of time. | double | -| aws.ebs.metrics.VolumeTotalWriteTime.sum | The total number of seconds spent by all write operations that completed in a specified period of time. | double | -| aws.ebs.metrics.VolumeWriteBytes.avg | Average size of each write operation during the period, except on volumes attached to a Nitro-based instance, where the average represents the average over the specified period. | double | -| aws.ebs.metrics.VolumeWriteOps.avg | The total number of write operations in a specified period of time. | double | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### ec2 - -An example event for `ec2` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:56:37.255Z", - "aws": { - "ec2": { - "network": { - "in": { - "packets": 448.4, - "bytes_per_sec": 103.10266666666666, - "packets_per_sec": 1.4946666666666666, - "bytes": 30930.8 - }, - "out": { - "packets": 233.6, - "bytes_per_sec": 51.754666666666665, - "packets_per_sec": 0.7786666666666666, - "bytes": 15526.4 - } - }, - "status": { - "check_failed": 0, - "check_failed_instance": 0, - "check_failed_system": 0 - }, - "cpu": { - "credit_usage": 0.004566, - "credit_balance": 144, - "surplus_credit_balance": 0, - "surplus_credits_charged": 0, - "total": { - "pct": 0.0999999999997574 - } - }, - "diskio": { - "read": { - "bytes_per_sec": 0, - "count_per_sec": 0, - "bytes": 0, - "count": 0 - }, - "write": { - "count": 0, - "bytes_per_sec": 0, - "count_per_sec": 0, - "bytes": 0 - } - }, - "instance": { - "core": { - "count": 1 - }, - "threads_per_core": 1, - "public": { - "ip": "3.122.204.80", - "dns_name": "" - }, - "private": { - "ip": "10.0.0.122", - "dns_name": "ip-10-0-0-122.eu-central-1.compute.internal" - }, - "image": { - "id": "ami-0b418580298265d5c" - }, - "state": { - "name": "running", - "code": 16 - }, - "monitoring": { - "state": "disabled" - } - } - } - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - }, - "ecs": { - "version": "1.5.0" - }, - "event": { - "module": "aws", - "duration": 23217499283, - "dataset": "aws.ec2" - }, - "metricset": { - "period": 300000, - "name": "ec2" - }, - "service": { - "type": "aws" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "instance": { - "id": "i-04c1a32c2aace6b40" - }, - "machine": { - "type": "t2.micro" - }, - "availability_zone": "eu-central-1a" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.AutoScalingGroupName | An Auto Scaling group is a collection of instances you define if you're using Auto Scaling. | keyword | -| aws.dimensions.ImageId | This dimension filters the data you request for all instances running this Amazon EC2 Amazon Machine Image (AMI) | keyword | -| aws.dimensions.InstanceId | Amazon EC2 instance ID | keyword | -| aws.dimensions.InstanceType | This dimension filters the data you request for all instances running with this specified instance type. | keyword | -| aws.ec2.cpu.credit_balance | The number of earned CPU credits that an instance has accrued since it was launched or started. | long | -| aws.ec2.cpu.credit_usage | The number of CPU credits spent by the instance for CPU utilization. | long | -| aws.ec2.cpu.surplus_credit_balance | The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero. | long | -| aws.ec2.cpu.surplus_credits_charged | The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge. | long | -| aws.ec2.cpu.total.pct | The percentage of allocated EC2 compute units that are currently in use on the instance. | scaled_float | -| aws.ec2.diskio.read.bytes | Bytes read from all instance store volumes available to the instance. | long | -| aws.ec2.diskio.read.bytes_per_sec | Bytes read per second from all instance store volumes available to the instance. | long | -| aws.ec2.diskio.read.count | Completed read operations from all instance store volumes available to the instance in a specified period of time. | long | -| aws.ec2.diskio.read.count_per_sec | Completed read operations per second from all instance store volumes available to the instance in a specified period of time. | long | -| aws.ec2.diskio.write.bytes | Bytes written to all instance store volumes available to the instance. | long | -| aws.ec2.diskio.write.bytes_per_sec | Bytes written per second to all instance store volumes available to the instance. | long | -| aws.ec2.diskio.write.count | Completed write operations to all instance store volumes available to the instance in a specified period of time. | long | -| aws.ec2.diskio.write.count_per_sec | Completed write operations per second to all instance store volumes available to the instance in a specified period of time. | long | -| aws.ec2.instance.core.count | The number of CPU cores for the instance. | integer | -| aws.ec2.instance.image.id | The ID of the image used to launch the instance. | keyword | -| aws.ec2.instance.monitoring.state | Indicates whether detailed monitoring is enabled. | keyword | -| aws.ec2.instance.private.dns_name | The private DNS name of the network interface. | keyword | -| aws.ec2.instance.private.ip | The private IPv4 address associated with the network interface. | ip | -| aws.ec2.instance.public.dns_name | The public DNS name of the instance. | keyword | -| aws.ec2.instance.public.ip | The address of the Elastic IP address (IPv4) bound to the network interface. | ip | -| aws.ec2.instance.state.code | The state of the instance, as a 16-bit unsigned integer. | integer | -| aws.ec2.instance.state.name | The state of the instance (pending | running | shutting-down | terminated | stopping | stopped). | keyword | -| aws.ec2.instance.threads_per_core | The number of threads per CPU core. | integer | -| aws.ec2.network.in.bytes | The number of bytes received on all network interfaces by the instance. | long | -| aws.ec2.network.in.bytes_per_sec | The number of bytes per second received on all network interfaces by the instance. | long | -| aws.ec2.network.in.packets | The number of packets received on all network interfaces by the instance. | long | -| aws.ec2.network.in.packets_per_sec | The number of packets per second sent out on all network interfaces by the instance. | long | -| aws.ec2.network.out.bytes | The number of bytes sent out on all network interfaces by the instance. | long | -| aws.ec2.network.out.bytes_per_sec | The number of bytes per second sent out on all network interfaces by the instance. | long | -| aws.ec2.network.out.packets | The number of packets sent out on all network interfaces by the instance. | long | -| aws.ec2.network.out.packets_per_sec | The number of packets per second sent out on all network interfaces by the instance. | long | -| aws.ec2.status.check_failed | Reports whether the instance has passed both the instance status check and the system status check in the last minute. | long | -| aws.ec2.status.check_failed_instance | Reports whether the instance has passed the instance status check in the last minute. | long | -| aws.ec2.status.check_failed_system | Reports whether the instance has passed the system status check in the last minute. | long | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | long | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | long | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### elb - -An example event for `elb` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:30.211Z", - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-central-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - } - }, - "aws": { - "elb": { - "metrics": { - "EstimatedALBNewConnectionCount": { - "avg": 32 - }, - "EstimatedALBConsumedLCUs": { - "avg": 0.00035000000000000005 - }, - "EstimatedProcessedBytes": { - "avg": 967 - }, - "EstimatedALBActiveConnectionCount": { - "avg": 5 - }, - "HealthyHostCount": { - "max": 2 - }, - "UnHealthyHostCount": { - "max": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/ELB" - }, - "dimensions": { - "LoadBalancerName": "filebeat-aws-elb-test-elb" - } - }, - "metricset": { - "name": "elb", - "period": 60000 - }, - "event": { - "dataset": "aws.elb", - "module": "aws", - "duration": 15044430616 - }, - "service": { - "type": "aws" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.applicationelb.metrics.ActiveConnectionCount.sum | The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. | long | -| aws.applicationelb.metrics.ClientTLSNegotiationErrorCount.sum | The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error. | long | -| aws.applicationelb.metrics.ConsumedLCUs.avg | The number of load balancer capacity units (LCU) used by your load balancer. | double | -| aws.applicationelb.metrics.HTTPCode_ELB_3XX_Count.sum | The number of HTTP 3XX redirection codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_4XX_Count.sum | The number of HTTP 4XX client error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_500_Count.sum | The number of HTTP 500 error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_502_Count.sum | The number of HTTP 502 error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_503_Count.sum | The number of HTTP 503 error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_504_Count.sum | The number of HTTP 504 error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTPCode_ELB_5XX_Count.sum | The number of HTTP 5XX server error codes that originate from the load balancer. | long | -| aws.applicationelb.metrics.HTTP_Fixed_Response_Count.sum | The number of fixed-response actions that were successful. | long | -| aws.applicationelb.metrics.HTTP_Redirect_Count.sum | The number of redirect actions that were successful. | long | -| aws.applicationelb.metrics.HTTP_Redirect_Url_Limit_Exceeded_Count.sum | The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K. | long | -| aws.applicationelb.metrics.IPv6ProcessedBytes.sum | The total number of bytes processed by the load balancer over IPv6. | long | -| aws.applicationelb.metrics.IPv6RequestCount.sum | The number of IPv6 requests received by the load balancer. | long | -| aws.applicationelb.metrics.NewConnectionCount.sum | The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets. | long | -| aws.applicationelb.metrics.ProcessedBytes.sum | The total number of bytes processed by the load balancer over IPv4 and IPv6. | long | -| aws.applicationelb.metrics.RejectedConnectionCount.sum | The number of connections that were rejected because the load balancer had reached its maximum number of connections. | long | -| aws.applicationelb.metrics.RequestCount.sum | The number of requests processed over IPv4 and IPv6. | long | -| aws.applicationelb.metrics.RuleEvaluations.sum | The number of rules processed by the load balancer given a request rate averaged over an hour. | long | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.AvailabilityZone | Filters the metric data by the specified Availability Zone. | keyword | -| aws.dimensions.LoadBalancer | Filters the metric data by load balancer. | keyword | -| aws.dimensions.LoadBalancerName | Filters the metric data by the specified load balancer. | keyword | -| aws.dimensions.TargetGroup | Filters the metric data by target group. | keyword | -| aws.elb.metrics.BackendConnectionErrors.sum | The number of connections that were not successfully established between the load balancer and the registered instances. | long | -| aws.elb.metrics.EstimatedALBActiveConnectionCount.avg | The estimated number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. | double | -| aws.elb.metrics.EstimatedALBConsumedLCUs.avg | The estimated number of load balancer capacity units (LCU) used by an Application Load Balancer. | double | -| aws.elb.metrics.EstimatedALBNewConnectionCount.avg | The estimated number of new TCP connections established from clients to the load balancer and from the load balancer to targets. | double | -| aws.elb.metrics.EstimatedProcessedBytes.avg | The estimated number of bytes processed by an Application Load Balancer. | double | -| aws.elb.metrics.HTTPCode_Backend_2XX.sum | The number of HTTP 2XX response code generated by registered instances. | long | -| aws.elb.metrics.HTTPCode_Backend_3XX.sum | The number of HTTP 3XX response code generated by registered instances. | long | -| aws.elb.metrics.HTTPCode_Backend_4XX.sum | The number of HTTP 4XX response code generated by registered instances. | long | -| aws.elb.metrics.HTTPCode_Backend_5XX.sum | The number of HTTP 5XX response code generated by registered instances. | long | -| aws.elb.metrics.HTTPCode_ELB_4XX.sum | The number of HTTP 4XX client error codes generated by the load balancer. | long | -| aws.elb.metrics.HTTPCode_ELB_5XX.sum | The number of HTTP 5XX server error codes generated by the load balancer. | long | -| aws.elb.metrics.HealthyHostCount.max | The number of healthy instances registered with your load balancer. | long | -| aws.elb.metrics.Latency.avg | The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers. | double | -| aws.elb.metrics.RequestCount.sum | The number of requests completed or connections made during the specified interval. | long | -| aws.elb.metrics.SpilloverCount.sum | The total number of requests that were rejected because the surge queue is full. | long | -| aws.elb.metrics.SurgeQueueLength.max | The total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance. | long | -| aws.elb.metrics.UnHealthyHostCount.max | The number of unhealthy instances registered with your load balancer. | long | -| aws.networkelb.metrics.ActiveFlowCount.avg | The total number of concurrent flows (or connections) from clients to targets. | double | -| aws.networkelb.metrics.ActiveFlowCount_TCP.avg | The total number of concurrent TCP flows (or connections) from clients to targets. | double | -| aws.networkelb.metrics.ActiveFlowCount_TLS.avg | The total number of concurrent TLS flows (or connections) from clients to targets. | double | -| aws.networkelb.metrics.ActiveFlowCount_UDP.avg | The total number of concurrent UDP flows (or connections) from clients to targets. | double | -| aws.networkelb.metrics.ClientTLSNegotiationErrorCount.sum | The total number of TLS handshakes that failed during negotiation between a client and a TLS listener. | long | -| aws.networkelb.metrics.ConsumedLCUs.avg | The number of load balancer capacity units (LCU) used by your load balancer. | double | -| aws.networkelb.metrics.HealthyHostCount.max | The number of targets that are considered healthy. | long | -| aws.networkelb.metrics.NewFlowCount.sum | The total number of new flows (or connections) established from clients to targets in the time period. | long | -| aws.networkelb.metrics.NewFlowCount_TLS.sum | The total number of new TLS flows (or connections) established from clients to targets in the time period. | long | -| aws.networkelb.metrics.ProcessedBytes.sum | The total number of bytes processed by the load balancer, including TCP/IP headers. | long | -| aws.networkelb.metrics.ProcessedBytes_TLS.sum | The total number of bytes processed by TLS listeners. | long | -| aws.networkelb.metrics.TCP_Client_Reset_Count.sum | The total number of reset (RST) packets sent from a client to a target. | long | -| aws.networkelb.metrics.TCP_ELB_Reset_Count.sum | The total number of reset (RST) packets generated by the load balancer. | long | -| aws.networkelb.metrics.TCP_Target_Reset_Count.sum | The total number of reset (RST) packets sent from a target to a client. | long | -| aws.networkelb.metrics.TargetTLSNegotiationErrorCount.sum | The total number of TLS handshakes that failed during negotiation between a TLS listener and a target. | long | -| aws.networkelb.metrics.UnHealthyHostCount.max | The number of targets that are considered unhealthy. | long | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### lambda - -An example event for `lambda` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:17:08.666Z", - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - }, - "event": { - "dataset": "aws.dynamodb", - "module": "aws", - "duration": 10266182336 - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws", - "region": "eu-central-1" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/Lambda" - }, - "dimensions": { - "FunctionName": "ec2-owner-tagger-serverless", - "Resource": "ec2-owner-tagger-serverless" - }, - "lambda": { - "metrics": { - "Duration": { - "avg": 8218.073333333334 - }, - "Errors": { - "avg": 1 - }, - "Invocations": { - "avg": 1 - }, - "Throttles": { - "avg": 0 - } - } - } - }, - "metricset": { - "name": "dynamodb", - "period": 300000 - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.ExecutedVersion | Use the ExecutedVersion dimension to compare error rates for two versions of a function that are both targets of a weighted alias. | keyword | -| aws.dimensions.FunctionName | Lambda function name. | keyword | -| aws.dimensions.Resource | Resource name. | keyword | -| aws.lambda.metrics.ConcurrentExecutions.avg | The number of function instances that are processing events. | double | -| aws.lambda.metrics.DeadLetterErrors.avg | For asynchronous invocation, the number of times Lambda attempts to send an event to a dead-letter queue but fails. | double | -| aws.lambda.metrics.DestinationDeliveryFailures.avg | For asynchronous invocation, the number of times Lambda attempts to send an event to a destination but fails. | double | -| aws.lambda.metrics.Duration.avg | The amount of time that your function code spends processing an event. | double | -| aws.lambda.metrics.Errors.avg | The number of invocations that result in a function error. | double | -| aws.lambda.metrics.Invocations.avg | The number of times your function code is executed, including successful executions and executions that result in a function error. | double | -| aws.lambda.metrics.IteratorAge.avg | For event source mappings that read from streams, the age of the last record in the event. | double | -| aws.lambda.metrics.ProvisionedConcurrencyInvocations.sum | The number of times your function code is executed on provisioned concurrency. | long | -| aws.lambda.metrics.ProvisionedConcurrencySpilloverInvocations.sum | The number of times your function code is executed on standard concurrency when all provisioned concurrency is in use. | long | -| aws.lambda.metrics.ProvisionedConcurrencyUtilization.max | For a version or alias, the value of ProvisionedConcurrentExecutions divided by the total amount of provisioned concurrency allocated. | long | -| aws.lambda.metrics.ProvisionedConcurrentExecutions.max | The number of function instances that are processing events on provisioned concurrency. | long | -| aws.lambda.metrics.Throttles.avg | The number of invocation requests that are throttled. | double | -| aws.lambda.metrics.UnreservedConcurrentExecutions.avg | For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency. | double | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### natgateway - -An example event for `natgateway` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/NATGateway" - }, - "dimensions": { - "NatGatewayId": "nat-0a5cb7b9807908cc0" - }, - "natgateway": { - "metrics": { - "ActiveConnectionCount": { - "max": 0 - }, - "BytesInFromDestination": { - "sum": 0 - }, - "BytesInFromSource": { - "sum": 0 - }, - "BytesOutToDestination": { - "sum": 0 - }, - "BytesOutToSource": { - "sum": 0 - }, - "ConnectionAttemptCount": { - "sum": 0 - }, - "ConnectionEstablishedCount": { - "sum": 0 - }, - "ErrorPortAllocation": { - "sum": 0 - }, - "PacketsDropCount": { - "sum": 0 - }, - "PacketsInFromDestination": { - "sum": 0 - }, - "PacketsInFromSource": { - "sum": 0 - }, - "PacketsOutToDestination": { - "sum": 0 - }, - "PacketsOutToSource": { - "sum": 0 - } - } - } - }, - "event": { - "dataset": "aws.natgateway", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "natgateway" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.NatGatewayId | Filter the metric data by the NAT gateway ID. | keyword | -| aws.natgateway.metrics.ActiveConnectionCount.max | The total number of concurrent active TCP connections through the NAT gateway. | long | -| aws.natgateway.metrics.BytesInFromDestination.sum | The number of bytes received by the NAT gateway from the destination. | long | -| aws.natgateway.metrics.BytesInFromSource.sum | The number of bytes received by the NAT gateway from clients in your VPC. | long | -| aws.natgateway.metrics.BytesOutToDestination.sum | The number of bytes sent out through the NAT gateway to the destination. | long | -| aws.natgateway.metrics.BytesOutToSource.sum | The number of bytes sent through the NAT gateway to the clients in your VPC. | long | -| aws.natgateway.metrics.ConnectionAttemptCount.sum | The number of connection attempts made through the NAT gateway. | long | -| aws.natgateway.metrics.ConnectionEstablishedCount.sum | The number of connections established through the NAT gateway. | long | -| aws.natgateway.metrics.ErrorPortAllocation.sum | The number of times the NAT gateway could not allocate a source port. | long | -| aws.natgateway.metrics.IdleTimeoutCount.sum | The number of connections that transitioned from the active state to the idle state. | long | -| aws.natgateway.metrics.PacketsDropCount.sum | The number of packets dropped by the NAT gateway. | long | -| aws.natgateway.metrics.PacketsInFromDestination.sum | The number of packets received by the NAT gateway from the destination. | long | -| aws.natgateway.metrics.PacketsInFromSource.sum | The number of packets received by the NAT gateway from clients in your VPC. | long | -| aws.natgateway.metrics.PacketsOutToDestination.sum | The number of packets sent out through the NAT gateway to the destination. | long | -| aws.natgateway.metrics.PacketsOutToSource.sum | The number of packets sent through the NAT gateway to the clients in your VPC. | long | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### rds - -An example event for `rds` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:34.537Z", - "ecs": { - "version": "1.5.0" - }, - "service": { - "type": "aws" - }, - "aws": { - "rds": { - "latency": { - "dml": 0, - "insert": 0, - "update": 0, - "commit": 0, - "ddl": 0, - "delete": 0, - "select": 0.21927814569536422 - }, - "queries": 6.197934021992669, - "aurora_bin_log_replica_lag": 0, - "transactions": { - "blocked": 0, - "active": 0 - }, - "deadlocks": 0, - "login_failures": 0, - "throughput": { - "network": 1.399813358218904, - "insert": 0, - "ddl": 0, - "select": 2.5165408396246853, - "delete": 0, - "commit": 0, - "network_transmit": 0.699906679109452, - "update": 0, - "dml": 0, - "network_receive": 0.699906679109452 - }, - "cpu": { - "total": { - "pct": 0.03 - } - }, - "db_instance": { - "arn": "arn:aws:rds:eu-west-1:428152502467:db:database-1-instance-1-eu-west-1a", - "class": "db.r5.large", - "identifier": "database-1-instance-1-eu-west-1a", - "status": "available" - }, - "cache_hit_ratio.result_set": 0, - "aurora_replica.lag.ms": 19.576, - "free_local_storage.bytes": 32431271936, - "cache_hit_ratio.buffer": 100, - "disk_usage": { - "bin_log.bytes": 0 - }, - "db_instance.identifier": "database-1-instance-1-eu-west-1a", - "freeable_memory.bytes": 4436537344, - "engine_uptime.sec": 10463030, - "database_connections": 0 - } - }, - "cloud": { - "provider": "aws", - "region": "eu-west-1", - "account": { - "id": "428152502467", - "name": "elastic-beats" - }, - "availability_zone": "eu-west-1a" - }, - "event": { - "dataset": "aws.rds", - "module": "aws", - "duration": 10777919184 - }, - "metricset": { - "name": "rds", - "period": 60000 - }, - "agent": { - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.DBClusterIdentifier | This dimension filters the data that you request for a specific Amazon Aurora DB cluster. | keyword | -| aws.dimensions.DBClusterIdentifier,Role | This dimension filters the data that you request for a specific Aurora DB cluster, aggregating the metric by instance role (WRITER/READER). | keyword | -| aws.dimensions.DBInstanceIdentifier | This dimension filters the data that you request for a specific DB instance. | keyword | -| aws.dimensions.DatabaseClass | This dimension filters the data that you request for all instances in a database class. | keyword | -| aws.dimensions.DbClusterIdentifier, EngineName | This dimension filters the data that you request for a specific Aurora DB cluster, aggregating the metric by engine name. | keyword | -| aws.dimensions.EngineName | This dimension filters the data that you request for the identified engine name only. | keyword | -| aws.dimensions.SourceRegion | This dimension filters the data that you request for the specified region only. | keyword | -| aws.rds.aurora_bin_log_replica_lag | The amount of time a replica DB cluster running on Aurora with MySQL compatibility lags behind the source DB cluster. | long | -| aws.rds.aurora_global_db.data_transfer.bytes | In an Aurora Global Database, the amount of redo log data transferred from the master AWS Region to a secondary AWS Region. | long | -| aws.rds.aurora_global_db.replicated_write_io.bytes | In an Aurora Global Database, the number of write I/O operations replicated from the primary AWS Region to the cluster volume in a secondary AWS Region. | long | -| aws.rds.aurora_global_db.replication_lag.ms | For an Aurora Global Database, the amount of lag when replicating updates from the primary AWS Region, in milliseconds. | long | -| aws.rds.aurora_replica.lag.ms | For an Aurora Replica, the amount of lag when replicating updates from the primary instance, in milliseconds. | long | -| aws.rds.aurora_replica.lag_max.ms | The maximum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds. | long | -| aws.rds.aurora_replica.lag_min.ms | The minimum amount of lag between the primary instance and each Aurora DB instance in the DB cluster, in milliseconds. | long | -| aws.rds.aurora_volume_left_total.bytes | The remaining available space for the cluster volume, measured in bytes. | long | -| aws.rds.backtrack_change_records.creation_rate | The number of backtrack change records created over five minutes for your DB cluster. | long | -| aws.rds.backtrack_change_records.stored | The actual number of backtrack change records used by your DB cluster. | long | -| aws.rds.backtrack_window.actual | The difference between the target backtrack window and the actual backtrack window. | long | -| aws.rds.backtrack_window.alert | The number of times that the actual backtrack window is smaller than the target backtrack window for a given period of time. | long | -| aws.rds.backup_storage_billed_total.bytes | The total amount of backup storage in bytes for which you are billed for a given Aurora DB cluster. | long | -| aws.rds.cache_hit_ratio.buffer | The percentage of requests that are served by the buffer cache. | long | -| aws.rds.cache_hit_ratio.result_set | The percentage of requests that are served by the Resultset cache. | long | -| aws.rds.cpu.credit_balance | The number of earned CPU credits that an instance has accrued since it was launched or started. | long | -| aws.rds.cpu.credit_usage | The number of CPU credits spent by the instance for CPU utilization. | long | -| aws.rds.cpu.total.pct | The percentage of CPU utilization. | scaled_float | -| aws.rds.database_connections | The number of database connections in use. | long | -| aws.rds.db_instance.arn | Amazon Resource Name(ARN) for each rds. | keyword | -| aws.rds.db_instance.class | Contains the name of the compute and memory capacity class of the DB instance. | keyword | -| aws.rds.db_instance.db_cluster_identifier | This identifier is the unique key that identifies a DB cluster specifically for Amazon Aurora DB cluster. | keyword | -| aws.rds.db_instance.engine_name | Each DB instance runs a DB engine, like MySQL, MariaDB, PostgreSQL and etc. | keyword | -| aws.rds.db_instance.identifier | Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance. | keyword | -| aws.rds.db_instance.role | DB roles like WRITER or READER, specifically for Amazon Aurora DB cluster. | keyword | -| aws.rds.db_instance.status | Specifies the current state of this database. | keyword | -| aws.rds.deadlocks | The average number of deadlocks in the database per second. | long | -| aws.rds.disk_queue_depth | The number of outstanding IOs (read/write requests) waiting to access the disk. | float | -| aws.rds.disk_usage.bin_log.bytes | The amount of disk space occupied by binary logs on the master. Applies to MySQL read replicas. | long | -| aws.rds.disk_usage.replication_slot.mb | The disk space used by replication slot files. Applies to PostgreSQL. | long | -| aws.rds.disk_usage.transaction_logs.mb | The disk space used by transaction logs. Applies to PostgreSQL. | long | -| aws.rds.engine_uptime.sec | The amount of time that the instance has been running, in seconds. | long | -| aws.rds.failed_sql_server_agent_jobs | The number of failed SQL Server Agent jobs during the last minute. | long | -| aws.rds.free_local_storage.bytes | The amount of storage available for temporary tables and logs, in bytes. | long | -| aws.rds.free_storage.bytes | The amount of available storage space. | long | -| aws.rds.freeable_memory.bytes | The amount of available random access memory. | long | -| aws.rds.latency.commit | The amount of latency for commit operations, in milliseconds. | float | -| aws.rds.latency.ddl | The amount of latency for data definition language (DDL) requests, in milliseconds. | float | -| aws.rds.latency.delete | The amount of latency for delete queries, in milliseconds. | float | -| aws.rds.latency.dml | The amount of latency for inserts, updates, and deletes, in milliseconds. | float | -| aws.rds.latency.insert | The amount of latency for insert queries, in milliseconds. | float | -| aws.rds.latency.read | The average amount of time taken per disk I/O operation. | float | -| aws.rds.latency.select | The amount of latency for select queries, in milliseconds. | float | -| aws.rds.latency.update | The amount of latency for update queries, in milliseconds. | float | -| aws.rds.latency.write | The average amount of time taken per disk I/O operation. | float | -| aws.rds.login_failures | The average number of failed login attempts per second. | long | -| aws.rds.maximum_used_transaction_ids | The maximum transaction ID that has been used. Applies to PostgreSQL. | long | -| aws.rds.oldest_replication_slot_lag.mb | The lagging size of the replica lagging the most in terms of WAL data received. Applies to PostgreSQL. | long | -| aws.rds.queries | The average number of queries executed per second. | long | -| aws.rds.rds_to_aurora_postgresql_replica_lag.sec | The amount of lag in seconds when replicating updates from the primary RDS PostgreSQL instance to other nodes in the cluster. | long | -| aws.rds.read_io.ops_per_sec | The average number of disk read I/O operations per second. | float | -| aws.rds.replica_lag.sec | The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas. | long | -| aws.rds.storage_used.backup_retention_period.bytes | The total amount of backup storage in bytes used to support the point-in-time restore feature within the Aurora DB cluster's backup retention window. | long | -| aws.rds.storage_used.snapshot.bytes | The total amount of backup storage in bytes consumed by all Aurora snapshots for an Aurora DB cluster outside its backup retention window. | long | -| aws.rds.swap_usage.bytes | The amount of swap space used on the DB instance. This metric is not available for SQL Server. | long | -| aws.rds.throughput.commit | The average number of commit operations per second. | float | -| aws.rds.throughput.ddl | The average number of DDL requests per second. | float | -| aws.rds.throughput.delete | The average number of delete queries per second. | float | -| aws.rds.throughput.dml | The average number of inserts, updates, and deletes per second. | float | -| aws.rds.throughput.insert | The average number of insert queries per second. | float | -| aws.rds.throughput.network | The amount of network throughput both received from and transmitted to clients by each instance in the Aurora MySQL DB cluster, in bytes per second. | float | -| aws.rds.throughput.network_receive | The incoming (Receive) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication. | float | -| aws.rds.throughput.network_transmit | The outgoing (Transmit) network traffic on the DB instance, including both customer database traffic and Amazon RDS traffic used for monitoring and replication. | float | -| aws.rds.throughput.read | The average amount of time taken per disk I/O operation. | float | -| aws.rds.throughput.select | The average number of select queries per second. | float | -| aws.rds.throughput.update | The average number of update queries per second. | float | -| aws.rds.throughput.write | The average number of bytes written to disk per second. | float | -| aws.rds.transaction_logs_generation | The disk space used by transaction logs. Applies to PostgreSQL. | long | -| aws.rds.transactions.active | The average number of current transactions executing on an Aurora database instance per second. | long | -| aws.rds.transactions.blocked | The average number of transactions in the database that are blocked per second. | long | -| aws.rds.volume.read.iops | The number of billed read I/O operations from a cluster volume, reported at 5-minute intervals. | long | -| aws.rds.volume.write.iops | The number of write disk I/O operations to the cluster volume, reported at 5-minute intervals. | long | -| aws.rds.volume_used.bytes | The amount of storage used by your Aurora DB instance, in bytes. | long | -| aws.rds.write_io.ops_per_sec | The average number of disk write I/O operations per second. | float | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### s3_daily_storage - -An example event for `s3_daily_storage` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "s3": { - "bucket": { - "name": "test-s3-ks-2" - } - }, - "s3_daily_storage": { - "bucket": { - "size": { - "bytes": 207372 - } - }, - "number_of_objects": 128 - } - }, - "event": { - "dataset": "aws.s3_daily_storage", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "s3_daily_storage" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.BucketName | This dimension filters the data you request for the identified bucket only. | keyword | -| aws.dimensions.FilterId | This dimension filters metrics configurations that you specify for request metrics on a bucket, for example, a prefix or a tag. | keyword | -| aws.dimensions.StorageType | This dimension filters the data that you have stored in a bucket by types of storage. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.s3_daily_storage.bucket.size.bytes | The amount of data in bytes stored in a bucket. | long | -| aws.s3_daily_storage.number_of_objects | The total number of objects stored in a bucket for all storage classes. | long | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### s3_request - -An example event for `s3_request` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "s3": { - "bucket": { - "name": "test-s3-ks-2" - } - }, - "s3_request": { - "downloaded": { - "bytes": 534 - }, - "errors": { - "4xx": 0, - "5xx": 0 - }, - "latency": { - "first_byte.ms": 214, - "total_request.ms": 533 - }, - "requests": { - "list": 2, - "put": 10, - "total": 12 - }, - "uploaded": { - "bytes": 13572 - } - } - }, - "event": { - "dataset": "aws.s3_request", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "s3_request" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.BucketName | This dimension filters the data you request for the identified bucket only. | keyword | -| aws.dimensions.FilterId | This dimension filters metrics configurations that you specify for request metrics on a bucket, for example, a prefix or a tag. | keyword | -| aws.dimensions.StorageType | This dimension filters the data that you have stored in a bucket by types of storage. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.s3_request.downloaded.bytes | The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body. | long | -| aws.s3_request.errors.4xx | The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. | long | -| aws.s3_request.errors.5xx | The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. | long | -| aws.s3_request.latency.first_byte.ms | The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned. | long | -| aws.s3_request.latency.total_request.ms | The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket. | long | -| aws.s3_request.requests.delete | The number of HTTP DELETE requests made for objects in an Amazon S3 bucket. | long | -| aws.s3_request.requests.get | The number of HTTP GET requests made for objects in an Amazon S3 bucket. | long | -| aws.s3_request.requests.head | The number of HTTP HEAD requests made to an Amazon S3 bucket. | long | -| aws.s3_request.requests.list | The number of HTTP requests that list the contents of a bucket. | long | -| aws.s3_request.requests.post | The number of HTTP POST requests made to an Amazon S3 bucket. | long | -| aws.s3_request.requests.put | The number of HTTP PUT requests made for objects in an Amazon S3 bucket. | long | -| aws.s3_request.requests.select | The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket. | long | -| aws.s3_request.requests.select_returned.bytes | The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. | long | -| aws.s3_request.requests.select_scanned.bytes | The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. | long | -| aws.s3_request.requests.total | The total number of HTTP requests made to an Amazon S3 bucket, regardless of type. | long | -| aws.s3_request.uploaded.bytes | The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. | long | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### sns - -An example event for `sns` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "cloudwatch": { - "namespace": "AWS/SNS" - }, - "dimensions": { - "TopicName": "test-sns-ks" - }, - "sns": { - "metrics": { - "NumberOfMessagesPublished": { - "sum": 1 - }, - "NumberOfNotificationsFailed": { - "sum": 1 - }, - "PublishSize": { - "avg": 5 - } - } - }, - "tags": { - "created-by": "ks" - } - }, - "event": { - "dataset": "aws.sns", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "sns" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.Application | Filters on application objects, which represent an app and device registered with one of the supported push notification services, such as APNs and FCM. | keyword | -| aws.dimensions.Application,Platform | Filters on application and platform objects, where the platform objects are for the supported push notification services, such as APNs and FCM. | keyword | -| aws.dimensions.Country | Filters on the destination country or region of an SMS message. | keyword | -| aws.dimensions.Platform | Filters on platform objects for the push notification services, such as APNs and FCM. | keyword | -| aws.dimensions.SMSType | Filters on the message type of SMS message. | keyword | -| aws.dimensions.TopicName | Filters on Amazon SNS topic names. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.sns.metrics.NumberOfMessagesPublished.sum | The number of messages published to your Amazon SNS topics. | long | -| aws.sns.metrics.NumberOfNotificationsDelivered.sum | The number of messages successfully delivered from your Amazon SNS topics to subscribing endpoints. | long | -| aws.sns.metrics.NumberOfNotificationsFailed.sum | The number of messages that Amazon SNS failed to deliver. | long | -| aws.sns.metrics.NumberOfNotificationsFailedToRedriveToDlq.sum | The number of messages that couldn't be moved to a dead-letter queue. | long | -| aws.sns.metrics.NumberOfNotificationsFilteredOut-InvalidAttributes.sum | The number of messages that were rejected by subscription filter policies because the messages' attributes are invalid - for example, because the attribute JSON is incorrectly formatted. | long | -| aws.sns.metrics.NumberOfNotificationsFilteredOut-NoMessageAttributes.sum | The number of messages that were rejected by subscription filter policies because the messages have no attributes. | long | -| aws.sns.metrics.NumberOfNotificationsFilteredOut.sum | The number of messages that were rejected by subscription filter policies. | long | -| aws.sns.metrics.NumberOfNotificationsRedrivenToDlq.sum | The number of messages that have been moved to a dead-letter queue. | long | -| aws.sns.metrics.PublishSize.avg | The size of messages published. | double | -| aws.sns.metrics.SMSMonthToDateSpentUSD.sum | The charges you have accrued since the start of the current calendar month for sending SMS messages. | long | -| aws.sns.metrics.SMSSuccessRate.avg | The rate of successful SMS message deliveries. | double | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### sqs - -An example event for `sqs` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "sqs": { - "empty_receives": 0, - "messages": { - "delayed": 0, - "deleted": 0, - "not_visible": 0, - "received": 0, - "sent": 0, - "visible": 2 - }, - "oldest_message_age": { - "sec": 78494 - }, - "queue": { - "name": "test-s3-notification" - }, - "sent_message_size": {} - } - }, - "event": { - "dataset": "aws.sqs", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "sqs" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.QueueName | SQS queue name | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.sqs.empty_receives | The number of ReceiveMessage API calls that did not return a message. | long | -| aws.sqs.messages.delayed | TThe number of messages in the queue that are delayed and not available for reading immediately. | long | -| aws.sqs.messages.deleted | The number of messages deleted from the queue. | long | -| aws.sqs.messages.not_visible | The number of messages that are in flight. | long | -| aws.sqs.messages.received | The number of messages returned by calls to the ReceiveMessage action. | long | -| aws.sqs.messages.sent | The number of messages added to a queue. | long | -| aws.sqs.messages.visible | The number of messages available for retrieval from the queue. | long | -| aws.sqs.oldest_message_age.sec | The approximate age of the oldest non-deleted message in the queue. | long | -| aws.sqs.queue.name | SQS queue name | keyword | -| aws.sqs.sent_message_size.bytes | The size of messages added to a queue. | long | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### transitgateway - -An example event for `transitgateway` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T20:10:20.953Z", - "cloud": { - "provider": "aws", - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "aws": { - "transitgateway": { - "metrics": { - "PacketsIn": { - "sum": 0 - }, - "BytesIn": { - "sum": 0 - }, - "BytesOut": { - "sum": 0 - }, - "PacketsOut": { - "sum": 0 - }, - "PacketDropCountBlackhole": { - "sum": 0 - }, - "PacketDropCountNoRoute": { - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/TransitGateway" - }, - "dimensions": { - "TransitGateway": "tgw-0630672a32f12808a" - } - }, - "ecs": { - "version": "1.5.0" - }, - "agent": { - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b" - }, - "event": { - "dataset": "aws.transitgateway", - "module": "aws", - "duration": 12762825681 - }, - "metricset": { - "period": 60000, - "name": "transitgateway" - }, - "service": { - "type": "aws" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.TransitGateway | Filters the metric data by transit gateway. | keyword | -| aws.dimensions.TransitGatewayAttachment | Filters the metric data by transit gateway attachment. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| aws.transitgateway.metrics.BytesIn.sum | The number of bytes received by the transit gateway. | long | -| aws.transitgateway.metrics.BytesOut.sum | The number of bytes sent from the transit gateway. | long | -| aws.transitgateway.metrics.PacketDropCountBlackhole.sum | The number of packets dropped because they matched a blackhole route. | long | -| aws.transitgateway.metrics.PacketDropCountNoRoute.sum | The number of packets dropped because they did not match a route. | long | -| aws.transitgateway.metrics.PacketsIn.sum | The number of packets received by the transit gateway. | long | -| aws.transitgateway.metrics.PacketsOut.sum | The number of packets sent by the transit gateway. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### usage - -An example event for `usage` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:30.929Z", - "aws": { - "usage": { - "metrics": { - "CallCount": { - "sum": 1 - } - } - }, - "cloudwatch": { - "namespace": "AWS/Usage" - }, - "dimensions": { - "Type": "API", - "Resource": "GetMetricData", - "Service": "CloudWatch", - "Class": "None" - } - }, - "event": { - "duration": 1191329839, - "dataset": "aws.usage", - "module": "aws" - }, - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "cloud": { - "provider": "aws", - "region": "eu-north-1", - "account": { - "name": "elastic-beats", - "id": "428152502467" - } - }, - "metricset": { - "name": "usage", - "period": 60000 - }, - "agent": { - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat", - "version": "8.0.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.Class | The class of resource being tracked. | keyword | -| aws.dimensions.Resource | The name of the API operation. | keyword | -| aws.dimensions.Service | The name of the AWS service containing the resource. | keyword | -| aws.dimensions.Type | The type of resource being tracked. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| aws.usage.metrics.CallCount.sum | The number of specified API operations performed in your account. | long | -| aws.usage.metrics.ResourceCount.sum | The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - - -### vpn - -An example event for `vpn` looks as following: - -```$json -{ - "@timestamp": "2020-05-28T17:58:27.154Z", - "service": { - "type": "aws" - }, - "ecs": { - "version": "1.5.0" - }, - "aws": { - "vpn": { - "metrics": { - "TunnelState": { - "avg": 0 - }, - "TunnelDataIn": { - "sum": 0 - }, - "TunnelDataOut": { - "sum": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/VPN" - } - }, - "event": { - "dataset": "aws.vpn", - "module": "aws", - "duration": 10418157072 - }, - "metricset": { - "period": 60000, - "name": "vpn" - }, - "cloud": { - "region": "us-west-2", - "account": { - "name": "elastic-beats", - "id": "428152502467" - }, - "provider": "aws" - }, - "agent": { - "version": "8.0.0", - "ephemeral_id": "17803f33-b617-4ce9-a9ac-e218c02aeb4b", - "id": "12f376ef-5186-4e8b-a175-70f1140a8f30", - "name": "MacBook-Elastic.local", - "type": "metricbeat" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| aws.*.metrics.*.* | Metrics that returned from Cloudwatch API query. | object | -| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | -| aws.dimensions.* | Metric dimensions. | object | -| aws.dimensions.TunnelIpAddress | Filters the metric data by the IP address of the tunnel for the virtual private gateway. | keyword | -| aws.dimensions.VpnId | Filters the metric data by the Site-to-Site VPN connection ID. | keyword | -| aws.s3.bucket.name | Name of a S3 bucket. | keyword | -| aws.tags.* | Tag key value pairs from aws resources. | object | -| aws.vpn.metrics.TunnelDataIn.sum | The bytes received through the VPN tunnel. | double | -| aws.vpn.metrics.TunnelDataOut.sum | The bytes sent through the VPN tunnel. | double | -| aws.vpn.metrics.TunnelState.avg | The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. | double | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. | keyword | -| error.message | Error message. | text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| service.type | Service type | keyword | - diff --git a/packages/aws/0.5.4/img/filebeat-aws-cloudtrail.png b/packages/aws/0.5.4/img/filebeat-aws-cloudtrail.png deleted file mode 100755 index 5ec69e272b..0000000000 Binary files a/packages/aws/0.5.4/img/filebeat-aws-cloudtrail.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/filebeat-aws-elb-overview.png b/packages/aws/0.5.4/img/filebeat-aws-elb-overview.png deleted file mode 100755 index 6b0cc1b74b..0000000000 Binary files a/packages/aws/0.5.4/img/filebeat-aws-elb-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/filebeat-aws-s3access-overview.png b/packages/aws/0.5.4/img/filebeat-aws-s3access-overview.png deleted file mode 100755 index a6b762aaca..0000000000 Binary files a/packages/aws/0.5.4/img/filebeat-aws-s3access-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/filebeat-aws-vpcflow-overview.png b/packages/aws/0.5.4/img/filebeat-aws-vpcflow-overview.png deleted file mode 100755 index d0524b898a..0000000000 Binary files a/packages/aws/0.5.4/img/filebeat-aws-vpcflow-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/logo_aws.svg b/packages/aws/0.5.4/img/logo_aws.svg deleted file mode 100755 index e60377c8bd..0000000000 --- a/packages/aws/0.5.4/img/logo_aws.svg +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/packages/aws/0.5.4/img/metricbeat-aws-billing-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-billing-overview.png deleted file mode 100755 index 9544b1fa8a..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-billing-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-dynamodb-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-dynamodb-overview.png deleted file mode 100755 index 386c960f22..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-dynamodb-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-ebs-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-ebs-overview.png deleted file mode 100755 index 48d09ae90d..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-ebs-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-ec2-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-ec2-overview.png deleted file mode 100755 index f9b2d621f4..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-ec2-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-elb-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-elb-overview.png deleted file mode 100755 index 37eecc1bd0..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-elb-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-lambda-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-lambda-overview.png deleted file mode 100755 index 84a228b51e..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-lambda-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-overview.png deleted file mode 100755 index 7f93b5d99d..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-rds-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-rds-overview.png deleted file mode 100755 index d44b021588..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-rds-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-s3-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-s3-overview.png deleted file mode 100755 index f64b8606e3..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-s3-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-sns-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-sns-overview.png deleted file mode 100755 index 29df3a010d..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-sns-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-sqs-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-sqs-overview.png deleted file mode 100755 index c45a261f78..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-sqs-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/img/metricbeat-aws-usage-overview.png b/packages/aws/0.5.4/img/metricbeat-aws-usage-overview.png deleted file mode 100755 index 3c4e67f493..0000000000 Binary files a/packages/aws/0.5.4/img/metricbeat-aws-usage-overview.png and /dev/null differ diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-0eb5a6a0-694f-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/dashboard/aws-0eb5a6a0-694f-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index ff64dd5d21..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-0eb5a6a0-694f-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS Transit Gateway Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"filters\"},\"gridData\":{\"h\":5,\"i\":\"af1453d8-04d3-4b44-a3b0-138111255a23\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"af1453d8-04d3-4b44-a3b0-138111255a23\",\"panelRefName\":\"panel_0\",\"title\":\"filters\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes In\"},\"gridData\":{\"h\":12,\"i\":\"14555108-559d-4c07-b240-6e6b14254f16\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"14555108-559d-4c07-b240-6e6b14254f16\",\"panelRefName\":\"panel_1\",\"title\":\"Bytes In\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets In\"},\"gridData\":{\"h\":12,\"i\":\"9c605367-60e3-4e9c-8036-a6191dbafe4a\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"9c605367-60e3-4e9c-8036-a6191dbafe4a\",\"panelRefName\":\"panel_2\",\"title\":\"Packets In\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes Out\"},\"gridData\":{\"h\":12,\"i\":\"271558e6-b208-4e2c-abfb-0a6b2dbb0c66\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"271558e6-b208-4e2c-abfb-0a6b2dbb0c66\",\"panelRefName\":\"panel_3\",\"title\":\"Bytes Out\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Out\"},\"gridData\":{\"h\":12,\"i\":\"41002ab1-845b-469e-9283-8a46a90e4662\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"41002ab1-845b-469e-9283-8a46a90e4662\",\"panelRefName\":\"panel_4\",\"title\":\"Packets Out\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes Dropped - no route\"},\"gridData\":{\"h\":12,\"i\":\"b141f90b-739e-46f3-83c9-9c4661183837\",\"w\":24,\"x\":0,\"y\":29},\"panelIndex\":\"b141f90b-739e-46f3-83c9-9c4661183837\",\"panelRefName\":\"panel_5\",\"title\":\"Bytes Dropped - no route\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Dropped - no route\"},\"gridData\":{\"h\":12,\"i\":\"c6a76f92-248b-4cae-a03f-7d34d58098ae\",\"w\":24,\"x\":24,\"y\":29},\"panelIndex\":\"c6a76f92-248b-4cae-a03f-7d34d58098ae\",\"panelRefName\":\"panel_6\",\"title\":\"Packets Dropped - no route\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes Dropped - black hole\"},\"gridData\":{\"h\":12,\"i\":\"1d08d3b8-3bd7-4f90-854d-be08cb119273\",\"w\":24,\"x\":0,\"y\":41},\"panelIndex\":\"1d08d3b8-3bd7-4f90-854d-be08cb119273\",\"panelRefName\":\"panel_7\",\"title\":\"Bytes Dropped - black hole\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Dropped - black hole\"},\"gridData\":{\"h\":12,\"i\":\"40e82e50-b30c-40eb-bbee-9bbfc3d3311f\",\"w\":24,\"x\":24,\"y\":41},\"panelIndex\":\"40e82e50-b30c-40eb-bbee-9bbfc3d3311f\",\"panelRefName\":\"panel_8\",\"title\":\"Packets Dropped - black hole\",\"version\":\"7.6.1\"}]", - "timeRestore": false, - "title": "[Metrics AWS] TransitGateway Overview", - "version": 1 - }, - "id": "aws-0eb5a6a0-694f-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "aws-415fed40-694f-11ea-b0ac-95d4ecb1fecd", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-cd6419c0-6949-11ea-b0ac-95d4ecb1fecd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-0a36b590-694c-11ea-b0ac-95d4ecb1fecd", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-dc5f65b0-6949-11ea-b0ac-95d4ecb1fecd", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-10e0f270-694c-11ea-b0ac-95d4ecb1fecd", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-01ed5990-694a-11ea-b0ac-95d4ecb1fecd", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-007ceec0-694c-11ea-b0ac-95d4ecb1fecd", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-f7c17000-6949-11ea-b0ac-95d4ecb1fecd", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-c1db9b80-694b-11ea-b0ac-95d4ecb1fecd", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index d103e7cf70..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-15503340-4488-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "description": "Logs AWS VPC Flow Log Overview Dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"S3 Bucket Filter\"},\"gridData\":{\"h\":5,\"i\":\"c802177f-038c-4a35-a82d-0fa42c857d02\",\"w\":18,\"x\":0,\"y\":0},\"panelIndex\":\"c802177f-038c-4a35-a82d-0fa42c857d02\",\"panelRefName\":\"panel_0\",\"title\":\"S3 Bucket Filter\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"isLayerTOCOpen\":true,\"mapCenter\":{\"lat\":12.09237,\"lon\":60.11722,\"zoom\":0.47},\"openTOCDetails\":[],\"title\":\"VPC Flow Action Geo Location\"},\"gridData\":{\"h\":17,\"i\":\"380eed85-225b-4d5d-88bc-1c70a3643ddb\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"380eed85-225b-4d5d-88bc-1c70a3643ddb\",\"panelRefName\":\"panel_1\",\"title\":\"VPC Flow Action Geo Location\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"VPC Flow Top IP Addresses\"},\"gridData\":{\"h\":12,\"i\":\"3dde08df-2d7e-464e-825d-03179e43e175\",\"w\":18,\"x\":0,\"y\":5},\"panelIndex\":\"3dde08df-2d7e-464e-825d-03179e43e175\",\"panelRefName\":\"panel_2\",\"title\":\"VPC Flow Top IP Addresses\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"VPC Flow Total Requests\"},\"gridData\":{\"h\":12,\"i\":\"f7c6de04-c771-47ff-a32d-00a7940e414a\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"f7c6de04-c771-47ff-a32d-00a7940e414a\",\"panelRefName\":\"panel_3\",\"title\":\"VPC Flow Total Requests\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"VPC Flow Reject Logs\"},\"gridData\":{\"h\":15,\"i\":\"b4dbbe72-0dc0-428b-b21e-91c6cc82745c\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"b4dbbe72-0dc0-428b-b21e-91c6cc82745c\",\"panelRefName\":\"panel_4\",\"title\":\"VPC Flow Reject Logs\",\"version\":\"7.4.0\"}]", - "timeRestore": false, - "title": "[Logs AWS] VPC Flow Log Overview", - "version": 1 - }, - "id": "aws-15503340-4488-11ea-ad63-791a5dc86f10", - "references": [ - { - "id": "aws-247e2990-4699-11ea-ad63-791a5dc86f10", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-513a3d70-4482-11ea-ad63-791a5dc86f10", - "name": "panel_1", - "type": "map" - }, - { - "id": "aws-75853f20-4484-11ea-ad63-791a5dc86f10", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-bad8c910-4485-11ea-ad63-791a5dc86f10", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-c1aee600-4487-11ea-ad63-791a5dc86f10", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-234aeda0-43b7-11e9-8697-530f39afc6eb.json b/packages/aws/0.5.4/kibana/dashboard/aws-234aeda0-43b7-11e9-8697-530f39afc6eb.json deleted file mode 100755 index 01945970c4..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-234aeda0-43b7-11e9-8697-530f39afc6eb.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS SQS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"SQS Messages Visible\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"SQS Messages Visible\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Oldest Message Age in Seconds\"},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"SQS Oldest Message Age in Seconds\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Messages Received\"},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"SQS Messages Received\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Messages Deleted\"},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"SQS Messages Deleted\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Messages Delayed\"},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"SQS Messages Delayed\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Messages Sent\"},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"SQS Messages Sent\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Filters\"},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"title\":\"SQS Filters\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"SQS Empty Receives\"},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"SQS Empty Receives\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] SQS Overview", - "version": 1 - }, - "id": "aws-234aeda0-43b7-11e9-8697-530f39afc6eb", - "references": [ - { - "id": "aws-f74eb760-41e8-11e9-b7a0-c99d9d127b61", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-53730d20-437e-11e9-8697-530f39afc6eb", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-1235fe50-41e7-11e9-b7a0-c99d9d127b61", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-be6c4180-41e6-11e9-b7a0-c99d9d127b61", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-dcd31cd0-41e5-11e9-b7a0-c99d9d127b61", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-dd2f2a10-41e6-11e9-b7a0-c99d9d127b61", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-b0afd3e0-43b7-11e9-8697-530f39afc6eb", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-bb82c4d0-6c25-11e9-81bc-7f4cd8b3d892", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-3367c170-921f-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/dashboard/aws-3367c170-921f-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 473a878294..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-3367c170-921f-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS RDS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Database Connections\"},\"gridData\":{\"h\":6,\"i\":\"1\",\"w\":19,\"x\":10,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Database Connections\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Insert Latency in Milliseconds\"},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Insert Latency in Milliseconds\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Select Latency in Milliseconds\"},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"title\":\"Select Latency in Milliseconds\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Transaction Blocked\"},\"gridData\":{\"h\":6,\"i\":\"5\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"title\":\"Transaction Blocked\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Insert Throughput in Count/Second\"},\"gridData\":{\"h\":11,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"title\":\"Insert Throughput in Count/Second\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Select Throughput in Count/Second\"},\"gridData\":{\"h\":11,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Select Throughput in Count/Second\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Disk Queue Depth\"},\"gridData\":{\"h\":12,\"i\":\"132653bc-2669-4e8c-b536-06c680e9acf0\",\"w\":48,\"x\":0,\"y\":27},\"panelIndex\":\"132653bc-2669-4e8c-b536-06c680e9acf0\",\"panelRefName\":\"panel_7\",\"title\":\"Disk Queue Depth\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] RDS Overview", - "version": 1 - }, - "id": "aws-3367c170-921f-11e9-aa19-159bf182e06f", - "references": [ - { - "id": "aws-17fcda50-921b-11e9-aa19-159bf182e06f", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-8b8a7f80-921c-11e9-aa19-159bf182e06f", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-cc3a1950-921c-11e9-aa19-159bf182e06f", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-00b29040-921d-11e9-aa19-159bf182e06f", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-c1afd130-921e-11e9-aa19-159bf182e06f", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-e06e4cf0-921e-11e9-aa19-159bf182e06f", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-966ae990-d979-11e9-9458-bbef63ad717b", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-3af47420-3e7b-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/dashboard/aws-3af47420-3e7b-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 7e09cebb35..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-3af47420-3e7b-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "description": "Logs AWS ELB Access Log Overview Dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":51.63808,\"lon\":17.07232,\"zoom\":3.47},\"openTOCDetails\":[],\"title\":\"ELB Requests Geolocation\"},\"gridData\":{\"h\":14,\"i\":\"2c97b32e-5548-429d-9ce0-1bbc3d2398ac\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"2c97b32e-5548-429d-9ce0-1bbc3d2398ac\",\"panelRefName\":\"panel_0\",\"title\":\"ELB Requests Geolocation\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB Inbound Traffic\"},\"gridData\":{\"h\":14,\"i\":\"26ebbde3-ee0c-4b4d-8ab9-404cbe5786a9\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"26ebbde3-ee0c-4b4d-8ab9-404cbe5786a9\",\"panelRefName\":\"panel_1\",\"title\":\"ELB Inbound Traffic\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB Top User Agents\"},\"gridData\":{\"h\":14,\"i\":\"48ecb39f-57a5-4805-a8a9-77385a996d75\",\"w\":16,\"x\":32,\"y\":14},\"panelIndex\":\"48ecb39f-57a5-4805-a8a9-77385a996d75\",\"panelRefName\":\"panel_2\",\"title\":\"ELB Top User Agents\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB Total Requests\"},\"gridData\":{\"h\":14,\"i\":\"9812996e-ba10-41bd-b134-c9705a0973b4\",\"w\":16,\"x\":0,\"y\":14},\"panelIndex\":\"9812996e-ba10-41bd-b134-c9705a0973b4\",\"panelRefName\":\"panel_3\",\"title\":\"ELB Total Requests\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB Top IP Addresses\"},\"gridData\":{\"h\":14,\"i\":\"bb25b36e-0787-48fd-aa22-7ba8c08a9c36\",\"w\":16,\"x\":16,\"y\":14},\"panelIndex\":\"bb25b36e-0787-48fd-aa22-7ba8c08a9c36\",\"panelRefName\":\"panel_4\",\"title\":\"ELB Top IP Addresses\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB Outbound Traffic\"},\"gridData\":{\"h\":14,\"i\":\"bf43580d-cc26-415b-ae36-d678a232b544\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"bf43580d-cc26-415b-ae36-d678a232b544\",\"panelRefName\":\"panel_5\",\"title\":\"ELB Outbound Traffic\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB HTTP 2xx\"},\"gridData\":{\"h\":14,\"i\":\"466e825b-6ee2-43c3-b221-21abe27612dd\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"466e825b-6ee2-43c3-b221-21abe27612dd\",\"panelRefName\":\"panel_6\",\"title\":\"ELB HTTP 2xx\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB HTTP 4xx\"},\"gridData\":{\"h\":14,\"i\":\"d42994a6-922c-4f86-bf99-a46f87ff106d\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"d42994a6-922c-4f86-bf99-a46f87ff106d\",\"panelRefName\":\"panel_7\",\"title\":\"ELB HTTP 4xx\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"ELB HTTP 5xx\"},\"gridData\":{\"h\":14,\"i\":\"f45aaa2c-c244-4d1a-8ad4-4794130b9827\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"f45aaa2c-c244-4d1a-8ad4-4794130b9827\",\"panelRefName\":\"panel_8\",\"title\":\"ELB HTTP 5xx\",\"version\":\"7.4.0\"}]", - "timeRestore": false, - "title": "[Logs AWS] ELB Access Log Overview", - "version": 1 - }, - "id": "aws-3af47420-3e7b-11ea-bb0a-69c3ca1d410f", - "references": [ - { - "id": "aws-0edf0640-3e7e-11ea-bb0a-69c3ca1d410f", - "name": "panel_0", - "type": "map" - }, - { - "id": "aws-76af8140-3e84-11ea-bb0a-69c3ca1d410f", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-73970bc0-3e86-11ea-bb0a-69c3ca1d410f", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-e50c51e0-3e7f-11ea-bb0a-69c3ca1d410f", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-ceb7c030-3e86-11ea-bb0a-69c3ca1d410f", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-bd37d720-3e84-11ea-bb0a-69c3ca1d410f", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-219c1850-3e82-11ea-bb0a-69c3ca1d410f", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-b6a308f0-3e82-11ea-bb0a-69c3ca1d410f", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-d8b1e830-3e82-11ea-bb0a-69c3ca1d410f", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-44ce4680-b7ba-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/dashboard/aws-44ce4680-b7ba-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 3d683ba1dd..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-44ce4680-b7ba-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "[Metrics AWS] Overview of EBS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":10},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Volume Write Ops\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":10},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Volume Read Ops\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Volume Write Bytes\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Volume Read Bytes\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"5\",\"w\":19,\"x\":8,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Volume Queue Length\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Volume Total Write Time\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"title\":\"Volume Total Read Time\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"8\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"title\":\"Volume Idle Time\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"9\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"title\":\"EBS Volume ID Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] EBS Overview", - "version": 1 - }, - "id": "aws-44ce4680-b7ba-11e9-8349-f15f850c5cd0", - "references": [ - { - "id": "aws-f6831f30-b7b6-11e9-8349-f15f850c5cd0", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-bb3a6cd0-b7b6-11e9-8349-f15f850c5cd0", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-c0e32d50-b7b8-11e9-8349-f15f850c5cd0", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-b00c4390-b7b8-11e9-8349-f15f850c5cd0", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-fe0581b0-b7b8-11e9-8349-f15f850c5cd0", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-25384bf0-b7b9-11e9-8349-f15f850c5cd0", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-12eff7e0-b7b9-11e9-8349-f15f850c5cd0", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-67f43080-b7b9-11e9-8349-f15f850c5cd0", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-d045d120-b7b9-11e9-8349-f15f850c5cd0", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json b/packages/aws/0.5.4/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json deleted file mode 100755 index f94deb7b94..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "Logs AWS S3 Server Access Log Overview Dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Top URLs\"},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Top URLs\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"Http Status over time\"},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Http Status over time\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"Error Logs\"},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Error Logs\",\"version\":\"7.4.0\"}]", - "timeRestore": false, - "title": "[Logs AWS] S3 Server Access Log Overview", - "version": 1 - }, - "id": "aws-4746e000-bacd-11e9-9f70-1f7bda85a5eb", - "references": [ - { - "id": "aws-99ffdb00-bacb-11e9-9f70-1f7bda85a5eb", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-5c93cd10-bac3-11e9-9f70-1f7bda85a5eb", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-67c9f900-693e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/dashboard/aws-67c9f900-693e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 58c344b256..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-67c9f900-693e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS VPN Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Filters\"},\"gridData\":{\"h\":14,\"i\":\"8ef52400-6eac-417b-936e-dce159dd5e89\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"8ef52400-6eac-417b-936e-dce159dd5e89\",\"panelRefName\":\"panel_0\",\"title\":\"Filters\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel State Per VPN ID\"},\"gridData\":{\"h\":14,\"i\":\"eb78041b-afc4-458e-af92-0951b1d0cadd\",\"w\":20,\"x\":8,\"y\":0},\"panelIndex\":\"eb78041b-afc4-458e-af92-0951b1d0cadd\",\"panelRefName\":\"panel_1\",\"title\":\"Tunnel State Per VPN ID\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel State Per Tunnel IP\"},\"gridData\":{\"h\":14,\"i\":\"39a9be08-98c6-470c-b76b-312a57e11e2d\",\"w\":20,\"x\":28,\"y\":0},\"panelIndex\":\"39a9be08-98c6-470c-b76b-312a57e11e2d\",\"panelRefName\":\"panel_2\",\"title\":\"Tunnel State Per Tunnel IP\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel Data In Per VPN ID\"},\"gridData\":{\"h\":15,\"i\":\"5c8122a2-fbf0-4404-918e-249bf6fd7f07\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"5c8122a2-fbf0-4404-918e-249bf6fd7f07\",\"panelRefName\":\"panel_3\",\"title\":\"Tunnel Data In Per VPN ID\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel Data In Per Tunnel IP\"},\"gridData\":{\"h\":15,\"i\":\"8ecd0f73-146f-4aed-bfd1-5c236c5dfe8c\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"8ecd0f73-146f-4aed-bfd1-5c236c5dfe8c\",\"panelRefName\":\"panel_4\",\"title\":\"Tunnel Data In Per Tunnel IP\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel Data Out Per VPN ID\"},\"gridData\":{\"h\":15,\"i\":\"eb10ea7d-ffc9-4c51-9386-6f63be6322aa\",\"w\":24,\"x\":0,\"y\":29},\"panelIndex\":\"eb10ea7d-ffc9-4c51-9386-6f63be6322aa\",\"panelRefName\":\"panel_5\",\"title\":\"Tunnel Data Out Per VPN ID\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Tunnel Data Out Per Tunnel IP\"},\"gridData\":{\"h\":15,\"i\":\"3b01a7e9-eb8b-43bb-977d-53d8bc9d21b7\",\"w\":24,\"x\":24,\"y\":29},\"panelIndex\":\"3b01a7e9-eb8b-43bb-977d-53d8bc9d21b7\",\"panelRefName\":\"panel_6\",\"title\":\"Tunnel Data Out Per Tunnel IP\",\"version\":\"7.6.1\"}]", - "timeRestore": false, - "title": "[Metrics AWS] VPN Overview", - "version": 1 - }, - "id": "aws-67c9f900-693e-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "aws-fcfc8d80-693e-11ea-b0ac-95d4ecb1fecd", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-142ad600-693b-11ea-b0ac-95d4ecb1fecd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-58f5a3c0-6943-11ea-b0ac-95d4ecb1fecd", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-2ee7f420-6943-11ea-b0ac-95d4ecb1fecd", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-ea9e3d40-693a-11ea-b0ac-95d4ecb1fecd", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-26b73e50-6943-11ea-b0ac-95d4ecb1fecd", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-f58f99b0-693a-11ea-b0ac-95d4ecb1fecd", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-68ba7bd0-20b6-11ea-8f72-2f8d21e50b0c.json b/packages/aws/0.5.4/kibana/dashboard/aws-68ba7bd0-20b6-11ea-8f72-2f8d21e50b0c.json deleted file mode 100755 index ff37f6c185..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-68ba7bd0-20b6-11ea-8f72-2f8d21e50b0c.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of DynamoDB AWS Cloudwatch metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Region/Account Filters\"},\"gridData\":{\"h\":9,\"i\":\"9642fcd0-464b-46ea-815c-cd2d9efc056d\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"9642fcd0-464b-46ea-815c-cd2d9efc056d\",\"panelRefName\":\"panel_0\",\"title\":\"Region/Account Filters\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Consumed Read Capacity Units\"},\"gridData\":{\"h\":9,\"i\":\"bb4b0cfa-7d6f-48e3-913e-2713c5aa3fe0\",\"w\":14,\"x\":10,\"y\":0},\"panelIndex\":\"bb4b0cfa-7d6f-48e3-913e-2713c5aa3fe0\",\"panelRefName\":\"panel_1\",\"title\":\"Consumed Read Capacity Units\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Consumed Write Capacity Units\"},\"gridData\":{\"h\":9,\"i\":\"09bdf20b-43b4-47a3-a113-d34ef3b2596c\",\"w\":14,\"x\":24,\"y\":0},\"panelIndex\":\"09bdf20b-43b4-47a3-a113-d34ef3b2596c\",\"panelRefName\":\"panel_2\",\"title\":\"Consumed Write Capacity Units\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Max Read/Write Account Limits\"},\"gridData\":{\"h\":9,\"i\":\"1bd7141d-b410-4ca0-8550-f8f645d97983\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"1bd7141d-b410-4ca0-8550-f8f645d97983\",\"panelRefName\":\"panel_3\",\"title\":\"Max Read/Write Account Limits\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Successful Request Latency\"},\"gridData\":{\"h\":10,\"i\":\"073302ad-0e44-4cd1-b16d-58f017a71816\",\"w\":17,\"x\":0,\"y\":9},\"panelIndex\":\"073302ad-0e44-4cd1-b16d-58f017a71816\",\"panelRefName\":\"panel_4\",\"title\":\"Successful Request Latency\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Read Throttle Events\"},\"gridData\":{\"h\":10,\"i\":\"ddcbc858-d2a0-42c3-8074-74f7d08ecb60\",\"w\":16,\"x\":17,\"y\":9},\"panelIndex\":\"ddcbc858-d2a0-42c3-8074-74f7d08ecb60\",\"panelRefName\":\"panel_5\",\"title\":\"Read Throttle Events\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Throttle Requests\"},\"gridData\":{\"h\":10,\"i\":\"95ffd42d-b28d-4f40-b3cb-6a6ac52943e1\",\"w\":15,\"x\":33,\"y\":9},\"panelIndex\":\"95ffd42d-b28d-4f40-b3cb-6a6ac52943e1\",\"panelRefName\":\"panel_6\",\"title\":\"Throttle Requests\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Max Request Latency Per Operation\"},\"gridData\":{\"h\":11,\"i\":\"0a588a08-997a-422f-a5db-e56728bc6702\",\"w\":17,\"x\":0,\"y\":19},\"panelIndex\":\"0a588a08-997a-422f-a5db-e56728bc6702\",\"panelRefName\":\"panel_7\",\"title\":\"Max Request Latency Per Operation\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Write Throttle Events\"},\"gridData\":{\"h\":11,\"i\":\"897ae224-d367-4fe0-aa23-5bb13165cc67\",\"w\":16,\"x\":17,\"y\":19},\"panelIndex\":\"897ae224-d367-4fe0-aa23-5bb13165cc67\",\"panelRefName\":\"panel_8\",\"title\":\"Write Throttle Events\",\"version\":\"7.6.2\"},{\"embeddableConfig\":{\"title\":\"Account Provisioned Write Capacity Utilization\"},\"gridData\":{\"h\":11,\"i\":\"e81e9817-c971-454b-881a-09cec10da0e9\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"e81e9817-c971-454b-881a-09cec10da0e9\",\"panelRefName\":\"panel_9\",\"title\":\"Account Provisioned Write Capacity Utilization\",\"version\":\"7.6.2\"}]", - "timeRestore": false, - "title": "[Metrics AWS] DynamoDB Overview", - "version": 1 - }, - "id": "aws-68ba7bd0-20b6-11ea-8f72-2f8d21e50b0c", - "references": [ - { - "id": "aws-bc8bd8f0-31fd-11ea-bcbf-59cb7eefc1f0", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-9d284bc0-7b08-11ea-9bb4-e958b64b5685", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-49379b70-7b07-11ea-9bb4-e958b64b5685", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-7d1e0870-7a3f-11ea-bfa4-dfea8c457654", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-8cf5fbe0-7b07-11ea-9bb4-e958b64b5685", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-7b93bab0-7b0a-11ea-9bb4-e958b64b5685", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-9f0425c0-7b0a-11ea-9bb4-e958b64b5685", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-3dee68c0-7b0c-11ea-9bb4-e958b64b5685", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-b403f7b0-7b15-11ea-9bb4-e958b64b5685", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "aws-31ad4090-2003-11ea-8f72-2f8d21e50b0c", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-7ac8e1d0-28d2-11ea-ba6c-49a884eb104f.json b/packages/aws/0.5.4/kibana/dashboard/aws-7ac8e1d0-28d2-11ea-ba6c-49a884eb104f.json deleted file mode 100755 index 1dbf16251c..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-7ac8e1d0-28d2-11ea-ba6c-49a884eb104f.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS Lambda Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"AWS Account Filter\"},\"gridData\":{\"h\":5,\"i\":\"8f2d1b8f-fef3-4a9a-9cc8-7f0e2c65e35a\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"8f2d1b8f-fef3-4a9a-9cc8-7f0e2c65e35a\",\"panelRefName\":\"panel_0\",\"title\":\"AWS Account Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Top Errors\"},\"gridData\":{\"h\":10,\"i\":\"443a9699-3451-44f7-8415-99a16c3f45b3\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"443a9699-3451-44f7-8415-99a16c3f45b3\",\"panelRefName\":\"panel_1\",\"title\":\"Top Errors\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"AWS Region Filter\"},\"gridData\":{\"h\":5,\"i\":\"60a16bf0-2979-467a-b30e-05ea29547b41\",\"w\":14,\"x\":0,\"y\":5},\"panelIndex\":\"60a16bf0-2979-467a-b30e-05ea29547b41\",\"panelRefName\":\"panel_2\",\"title\":\"AWS Region Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Lambda Function Duration in Milliseconds\"},\"gridData\":{\"h\":14,\"i\":\"349ef0d1-fea1-4b91-b95d-7a668914e10b\",\"w\":48,\"x\":0,\"y\":10},\"panelIndex\":\"349ef0d1-fea1-4b91-b95d-7a668914e10b\",\"panelRefName\":\"panel_3\",\"title\":\"Lambda Function Duration in Milliseconds\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Top Invoked Lambda Functions\"},\"gridData\":{\"h\":9,\"i\":\"048b1577-5aed-48e5-8f90-147aa3d56c1a\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"048b1577-5aed-48e5-8f90-147aa3d56c1a\",\"panelRefName\":\"panel_4\",\"title\":\"Top Invoked Lambda Functions\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Top Throttled Lambda Functions\"},\"gridData\":{\"h\":9,\"i\":\"4c8e471c-45da-47be-a866-c5bfc6d28a05\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"4c8e471c-45da-47be-a866-c5bfc6d28a05\",\"panelRefName\":\"panel_5\",\"title\":\"Top Throttled Lambda Functions\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] Lambda Overview", - "version": 1 - }, - "id": "aws-7ac8e1d0-28d2-11ea-ba6c-49a884eb104f", - "references": [ - { - "id": "aws-deab0260-2981-11e9-86eb-a3a07a77f530", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-4bf0a740-28d1-11ea-ba6c-49a884eb104f", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-39dfc8d0-28cf-11ea-ba6c-49a884eb104f", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-1f3f00c0-28d1-11ea-ba6c-49a884eb104f", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-915bcd50-28d1-11ea-ba6c-49a884eb104f", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-917a07b0-178e-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/dashboard/aws-917a07b0-178e-11ea-8650-fb606deb5be4.json deleted file mode 100755 index 73448921cd..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-917a07b0-178e-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS Usage Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"AWS Region Filter\"},\"gridData\":{\"h\":5,\"i\":\"2ea7bd59-d748-4e4a-889d-f7e2ca1cfe36\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"2ea7bd59-d748-4e4a-889d-f7e2ca1cfe36\",\"panelRefName\":\"panel_0\",\"title\":\"Region Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Usage Resource Count\"},\"gridData\":{\"h\":15,\"i\":\"00c2b1f6-3367-4b6f-ac01-7e48b76c262a\",\"w\":20,\"x\":9,\"y\":0},\"panelIndex\":\"00c2b1f6-3367-4b6f-ac01-7e48b76c262a\",\"panelRefName\":\"panel_1\",\"title\":\"Usage Resource Count\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Usage API Call Count\"},\"gridData\":{\"h\":15,\"i\":\"fecfe5d4-ef1c-4f38-954a-a2506d72bc5b\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"fecfe5d4-ef1c-4f38-954a-a2506d72bc5b\",\"panelRefName\":\"panel_2\",\"title\":\"Usage API Call Count\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"AWS Account Filter\"},\"gridData\":{\"h\":5,\"i\":\"69ce7461-36ad-4e7c-b541-c6a1601bf089\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"69ce7461-36ad-4e7c-b541-c6a1601bf089\",\"panelRefName\":\"panel_3\",\"title\":\"AWS Account Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"AWS Service Filter\"},\"gridData\":{\"h\":5,\"i\":\"62e86407-6ae3-47d3-9136-dd61bdf3267a\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"62e86407-6ae3-47d3-9136-dd61bdf3267a\",\"panelRefName\":\"panel_4\",\"title\":\"AWS Service Filter\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Usage Resource Count Per Service\"},\"gridData\":{\"h\":10,\"i\":\"196a044c-5c20-4417-8aa0-f60fc502e46c\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"196a044c-5c20-4417-8aa0-f60fc502e46c\",\"panelRefName\":\"panel_5\",\"title\":\"Usage Resource Count Per Service\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"Usage API Call Count Per Service\"},\"gridData\":{\"h\":12,\"i\":\"022941b7-01a1-4570-86e9-d03451d4e102\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"022941b7-01a1-4570-86e9-d03451d4e102\",\"panelRefName\":\"panel_6\",\"title\":\"Usage API Call Count Per Service\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] Usage Overview", - "version": 1 - }, - "id": "aws-917a07b0-178e-11ea-8650-fb606deb5be4", - "references": [ - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-9202d1a0-178c-11ea-8650-fb606deb5be4", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-681aab60-178c-11ea-8650-fb606deb5be4", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-deab0260-2981-11e9-86eb-a3a07a77f530", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-2929edb0-178e-11ea-8650-fb606deb5be4", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-59e2e110-178d-11ea-8650-fb606deb5be4", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-75ebfda0-1789-11ea-8650-fb606deb5be4", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-9c09cd20-7399-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/dashboard/aws-9c09cd20-7399-11ea-a345-f985c61fe654.json deleted file mode 100755 index e7789ed5d3..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-9c09cd20-7399-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "description": "Summary of events from AWS CloudTrail.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":17.90562,\"lon\":-12.20429,\"zoom\":0.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"85d26d9a-2a71-4b98-a026-5f513094d6e5\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"85d26d9a-2a71-4b98-a026-5f513094d6e5\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"colors\":{\"failure\":\"#E24D42\"},\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"}}},\"gridData\":{\"h\":15,\"i\":\"6b3eff90-3071-451e-a827-ca569e0ac10b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"6b3eff90-3071-451e-a827-ca569e0ac10b\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"952e456a-e9ae-4606-b838-e16019375336\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"952e456a-e9ae-4606-b838-e16019375336\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"802ad09d-5883-4e41-99ac-6c356144d24d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"802ad09d-5883-4e41-99ac-6c356144d24d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"3e617d87-3acf-4203-b03b-c907c9145fce\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"3e617d87-3acf-4203-b03b-c907c9145fce\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"d6f03440-c717-4f5e-928c-72ae9d450318\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"d6f03440-c717-4f5e-928c-72ae9d450318\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"2b82a2c9-3809-447c-8e95-52125acccb42\",\"w\":30,\"x\":0,\"y\":28},\"panelIndex\":\"2b82a2c9-3809-447c-8e95-52125acccb42\",\"panelRefName\":\"panel_6\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"40f0a89b-7ce5-498f-a0f0-5c7edf7f8b50\",\"w\":18,\"x\":30,\"y\":28},\"panelIndex\":\"40f0a89b-7ce5-498f-a0f0-5c7edf7f8b50\",\"panelRefName\":\"panel_7\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs AWS] CloudTrail", - "version": 1 - }, - "id": "aws-9c09cd20-7399-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-dae24080-739a-11ea-a345-f985c61fe654", - "name": "panel_0", - "type": "map" - }, - { - "id": "aws-4c23e4c0-739a-11ea-a345-f985c61fe654", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-396089c0-7399-11ea-a345-f985c61fe654", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-0f056420-739e-11ea-a345-f985c61fe654", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-7bca4f50-739c-11ea-a345-f985c61fe654", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-f8b63860-739e-11ea-a345-f985c61fe654", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "panel_6", - "type": "search" - }, - { - "id": "aws-8ec43590-739b-11ea-a345-f985c61fe654", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-a096b830-4762-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/dashboard/aws-a096b830-4762-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index b90a0dc88b..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-a096b830-4762-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS S3 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"S3 Daily Storage Bucket Size in Bytes\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"S3 Daily Storage Bucket Size in Bytes\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Daily Storage Number of Objects\"},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"S3 Daily Storage Number of Objects\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Request Latency Total Request in ms\"},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"S3 Request Latency Total Request in ms\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Total Error 4xx\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"S3 Total Error 4xx\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Total Error 5xx\"},\"gridData\":{\"h\":6,\"i\":\"5\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"S3 Total Error 5xx\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Filters\"},\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"S3 Filters\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"S3 Total Requests\"},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"title\":\"S3 Total Requests\",\"version\":\"7.7.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-1d", - "timeRestore": true, - "timeTo": "now", - "title": "[Metrics AWS] S3 Overview", - "version": 1 - }, - "id": "aws-a096b830-4762-11e9-8062-c98a86cb6f94", - "references": [ - { - "id": "aws-2dbb8f90-4760-11e9-8062-c98a86cb6f94", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-3a3914d0-4761-11e9-8062-c98a86cb6f94", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-2b2d58b0-4762-11e9-8062-c98a86cb6f94", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-81d83c70-4762-11e9-8062-c98a86cb6f94", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-8b34a100-4762-11e9-8062-c98a86cb6f94", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-6e3285d0-4763-11e9-8062-c98a86cb6f94", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-d186fd50-4763-11e9-8062-c98a86cb6f94", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 92b909835c..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS NAT Gateway Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Filters\"},\"gridData\":{\"h\":11,\"i\":\"346ce7bf-e1af-4e0d-856b-5aa412903167\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"346ce7bf-e1af-4e0d-856b-5aa412903167\",\"panelRefName\":\"panel_0\",\"title\":\"Filters\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Error Port Allocation\"},\"gridData\":{\"h\":11,\"i\":\"19a9f053-a548-4e9d-a257-45932c3b73a5\",\"w\":8,\"x\":7,\"y\":0},\"panelIndex\":\"19a9f053-a548-4e9d-a257-45932c3b73a5\",\"panelRefName\":\"panel_1\",\"title\":\"Error Port Allocation\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Drop\"},\"gridData\":{\"h\":11,\"i\":\"a7a70775-f4ad-4323-b13c-9c9a3bf1bdf3\",\"w\":8,\"x\":15,\"y\":0},\"panelIndex\":\"a7a70775-f4ad-4323-b13c-9c9a3bf1bdf3\",\"panelRefName\":\"panel_2\",\"title\":\"Packets Drop\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Total Connection Established\"},\"gridData\":{\"h\":11,\"i\":\"b5fe853e-d5b0-4918-93ec-8be70f2881a8\",\"w\":8,\"x\":23,\"y\":0},\"panelIndex\":\"b5fe853e-d5b0-4918-93ec-8be70f2881a8\",\"panelRefName\":\"panel_3\",\"title\":\"Total Connection Established\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Active Connection Count\"},\"gridData\":{\"h\":11,\"i\":\"33663eae-1bc3-47d4-a9fc-3cd2b43c66ef\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"33663eae-1bc3-47d4-a9fc-3cd2b43c66ef\",\"panelRefName\":\"panel_4\",\"title\":\"Active Connection Count\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes In From Destination\"},\"gridData\":{\"h\":13,\"i\":\"4e454740-281a-43b1-92f4-8dd2e37e184f\",\"w\":24,\"x\":0,\"y\":11},\"panelIndex\":\"4e454740-281a-43b1-92f4-8dd2e37e184f\",\"panelRefName\":\"panel_5\",\"title\":\"Bytes In From Destination\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes In From Source\"},\"gridData\":{\"h\":13,\"i\":\"f40587a4-47f1-494a-b8b9-33365ce34d2f\",\"w\":24,\"x\":24,\"y\":11},\"panelIndex\":\"f40587a4-47f1-494a-b8b9-33365ce34d2f\",\"panelRefName\":\"panel_6\",\"title\":\"Bytes In From Source\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes Out To Destination\"},\"gridData\":{\"h\":13,\"i\":\"00075068-bf27-49e1-8beb-d5572500205b\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"00075068-bf27-49e1-8beb-d5572500205b\",\"panelRefName\":\"panel_7\",\"title\":\"Bytes Out To Destination\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Bytes Out To Source\"},\"gridData\":{\"h\":13,\"i\":\"c95ab156-9118-4c3c-94ee-55b4c9f5589c\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"c95ab156-9118-4c3c-94ee-55b4c9f5589c\",\"panelRefName\":\"panel_8\",\"title\":\"Bytes Out To Source\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets In From Destination\"},\"gridData\":{\"h\":13,\"i\":\"f7c6e3f7-419d-43ff-a2bb-d5931371f347\",\"w\":24,\"x\":0,\"y\":37},\"panelIndex\":\"f7c6e3f7-419d-43ff-a2bb-d5931371f347\",\"panelRefName\":\"panel_9\",\"title\":\"Packets In From Destination\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets In From Source\"},\"gridData\":{\"h\":13,\"i\":\"dcc56438-240a-45a4-81ec-a54be3d27c43\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"dcc56438-240a-45a4-81ec-a54be3d27c43\",\"panelRefName\":\"panel_10\",\"title\":\"Packets In From Source\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Out To Destination\"},\"gridData\":{\"h\":13,\"i\":\"db77d690-f343-4dc2-8695-d45a03361e01\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"db77d690-f343-4dc2-8695-d45a03361e01\",\"panelRefName\":\"panel_11\",\"title\":\"Packets Out To Destination\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Packets Out To Source\"},\"gridData\":{\"h\":13,\"i\":\"d882a862-87aa-4169-9dc3-0591252fa736\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"d882a862-87aa-4169-9dc3-0591252fa736\",\"panelRefName\":\"panel_12\",\"title\":\"Packets Out To Source\",\"version\":\"7.6.1\"}]", - "timeRestore": false, - "title": "[Metrics AWS] NATGateway Overview", - "version": 1 - }, - "id": "aws-c2b1cbc0-6891-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "aws-8345d580-6891-11ea-b0ac-95d4ecb1fecd", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-ce7445c0-688f-11ea-b0ac-95d4ecb1fecd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-9bf8e1e0-6890-11ea-b0ac-95d4ecb1fecd", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-68970b10-6890-11ea-b0ac-95d4ecb1fecd", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-c186b610-688d-11ea-b0ac-95d4ecb1fecd", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-b36532e0-688e-11ea-b0ac-95d4ecb1fecd", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-bc5dcc90-688e-11ea-b0ac-95d4ecb1fecd", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-e0e65e60-688e-11ea-b0ac-95d4ecb1fecd", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-c7d6cf90-688e-11ea-b0ac-95d4ecb1fecd", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "aws-bdb8ddd0-6890-11ea-b0ac-95d4ecb1fecd", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "aws-c84ed3d0-6890-11ea-b0ac-95d4ecb1fecd", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "aws-08645080-6891-11ea-b0ac-95d4ecb1fecd", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "aws-fd915180-6890-11ea-b0ac-95d4ecb1fecd", - "name": "panel_12", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json deleted file mode 100755 index ccb0448429..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-c5846400-f7fb-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS EC2 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"3\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"11\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"12\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"15\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"17\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"18\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":19,\"x\":17,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] EC2 Overview", - "version": 1 - }, - "id": "aws-c5846400-f7fb-11e8-af03-c999c9dea608", - "references": [ - { - "id": "aws-fed59380-f7f8-11e8-af03-c999c9dea608", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-9e8c6030-f7f8-11e8-af03-c999c9dea608", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-15818fd0-f7f9-11e8-af03-c999c9dea608", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-233b3400-f7f9-11e8-af03-c999c9dea608", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-f1db6ec0-f7f8-11e8-af03-c999c9dea608", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-be8828d0-f7f6-11e8-af03-c999c9dea608", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-deab0260-2981-11e9-86eb-a3a07a77f530", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-09db13f0-2bdd-11e9-9fe1-cde861544141", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-d17b1000-17a4-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/dashboard/aws-d17b1000-17a4-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index ef7c36af8a..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-d17b1000-17a4-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS SNS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"aws.sns\"},\"type\":\"phrase\",\"value\":\"aws.sns\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"aws.sns\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"3b9b0cee-b175-4268-8c5b-4ce869a09caf\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"3b9b0cee-b175-4268-8c5b-4ce869a09caf\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Messages and Notifications\"},\"gridData\":{\"h\":10,\"i\":\"5f0d72c5-0f28-449f-9c93-3b4074f068f7\",\"w\":39,\"x\":9,\"y\":0},\"panelIndex\":\"5f0d72c5-0f28-449f-9c93-3b4074f068f7\",\"panelRefName\":\"panel_1\",\"title\":\"SNS Messages and Notifications\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"5a9d5f2f-b075-4892-8188-c6e808a1163d\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"5a9d5f2f-b075-4892-8188-c6e808a1163d\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Publish Size\"},\"gridData\":{\"h\":10,\"i\":\"c6d5a54d-61a4-470b-8769-c5b6d6ab6c0f\",\"w\":16,\"x\":0,\"y\":10},\"panelIndex\":\"c6d5a54d-61a4-470b-8769-c5b6d6ab6c0f\",\"panelRefName\":\"panel_3\",\"title\":\"SNS Publish Size\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Notifications Filtered Out\"},\"gridData\":{\"h\":10,\"i\":\"0684c25d-34e8-425e-9069-dd8364e6325b\",\"w\":16,\"x\":16,\"y\":10},\"panelIndex\":\"0684c25d-34e8-425e-9069-dd8364e6325b\",\"panelRefName\":\"panel_4\",\"title\":\"SNS Notifications Filtered Out\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Notifications Filtered Out Invalid Attributes\"},\"gridData\":{\"h\":10,\"i\":\"72e987da-9a49-4dd4-99c4-4acbc49a0e0b\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"72e987da-9a49-4dd4-99c4-4acbc49a0e0b\",\"panelRefName\":\"panel_5\",\"title\":\"SNS Notifications Filtered Out Invalid Attributes\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Notifications Filtered Out No Message Attributes\"},\"gridData\":{\"h\":10,\"i\":\"923bd4cd-d8fe-47b5-afcf-577bf2c5987c\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"923bd4cd-d8fe-47b5-afcf-577bf2c5987c\",\"panelRefName\":\"panel_6\",\"title\":\"SNS Notifications Filtered Out No Message Attributes\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Notifications Failed to Redrive to DLQ\"},\"gridData\":{\"h\":10,\"i\":\"f176153f-4588-42f9-a7bb-3015909d5610\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"f176153f-4588-42f9-a7bb-3015909d5610\",\"panelRefName\":\"panel_7\",\"title\":\"SNS Notifications Failed to Redrive to DLQ\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS SMS Success Rate\"},\"gridData\":{\"h\":10,\"i\":\"f3c5915b-6848-4950-afca-53653d13d6af\",\"w\":16,\"x\":0,\"y\":30},\"panelIndex\":\"f3c5915b-6848-4950-afca-53653d13d6af\",\"panelRefName\":\"panel_8\",\"title\":\"SNS SMS Success Rate\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS Notifications Redriven To DLQ\"},\"gridData\":{\"h\":10,\"i\":\"3b3cc747-b57c-44e0-a18c-77155072bee4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"3b3cc747-b57c-44e0-a18c-77155072bee4\",\"panelRefName\":\"panel_9\",\"title\":\"SNS Notifications Redriven To DLQ\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"title\":\"SNS SMS Month To Date Spent USD\"},\"gridData\":{\"h\":10,\"i\":\"ee130150-c1de-465b-8a8e-013f466528bf\",\"w\":16,\"x\":16,\"y\":30},\"panelIndex\":\"ee130150-c1de-465b-8a8e-013f466528bf\",\"panelRefName\":\"panel_10\",\"title\":\"SNS SMS Month To Date Spent USD\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] SNS Overview", - "version": 1 - }, - "id": "aws-d17b1000-17a4-11ea-8e91-03c7047cbb9d", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-13e624c0-180e-11ea-8e91-03c7047cbb9d", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-59defc90-17a5-11ea-8e91-03c7047cbb9d", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-6f7f7680-180c-11ea-8e91-03c7047cbb9d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-bf81e030-180e-11ea-8e91-03c7047cbb9d", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-d19a71b0-180e-11ea-8e91-03c7047cbb9d", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-dffa19e0-180e-11ea-8e91-03c7047cbb9d", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-09857a20-180f-11ea-8e91-03c7047cbb9d", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-abdc7480-180b-11ea-8e91-03c7047cbb9d", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "aws-fc0869c0-180e-11ea-8e91-03c7047cbb9d", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "aws-b7f8bf90-180f-11ea-8e91-03c7047cbb9d", - "name": "panel_10", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json b/packages/aws/0.5.4/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json deleted file mode 100755 index 0495d3ff88..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-e6776b10-1534-11ea-841c-01bf20a6c8ba.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS Billing Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"AWS Account Filter\"},\"gridData\":{\"h\":5,\"i\":\"89dccfe8-a25e-44ea-afdb-ff01ab1f05d6\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"89dccfe8-a25e-44ea-afdb-ff01ab1f05d6\",\"panelRefName\":\"panel_0\",\"title\":\"AWS Account Filter\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"Estimated Billing Chart\"},\"gridData\":{\"h\":16,\"i\":\"26670498-b079-4447-bbc8-e4ca8215898c\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"26670498-b079-4447-bbc8-e4ca8215898c\",\"panelRefName\":\"panel_1\",\"title\":\"Estimated Billing Chart\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"Total Estimated Charges\"},\"gridData\":{\"h\":11,\"i\":\"221aab02-2747-4d84-9dde-028ccd51bdce\",\"w\":16,\"x\":0,\"y\":5},\"panelIndex\":\"221aab02-2747-4d84-9dde-028ccd51bdce\",\"panelRefName\":\"panel_2\",\"title\":\"Total Estimated Charges\",\"version\":\"7.4.0\"},{\"embeddableConfig\":{\"title\":\"Top 10 Estimated Billing Per Service Name\"},\"gridData\":{\"h\":15,\"i\":\"21e91e6b-0ff0-42ba-9132-6f30c5c6bbb7\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"21e91e6b-0ff0-42ba-9132-6f30c5c6bbb7\",\"panelRefName\":\"panel_3\",\"title\":\"Top 10 Estimated Billing Per Service Name\",\"version\":\"7.4.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] Billing Overview", - "version": 1 - }, - "id": "aws-e6776b10-1534-11ea-841c-01bf20a6c8ba", - "references": [ - { - "id": "aws-deab0260-2981-11e9-86eb-a3a07a77f530", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-749cd470-1530-11ea-841c-01bf20a6c8ba", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-83f08eb0-1532-11ea-841c-01bf20a6c8ba", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-31a4ea90-152b-11ea-841c-01bf20a6c8ba", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json deleted file mode 100755 index fa04f7c93c..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-e74bf320-b3ce-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS ELB Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":25,\"x\":23,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_0\",\"title\":\"HTTP 5XX Errors\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Request Count\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"title\":\"Unhealthy Host Count\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":11,\"x\":0,\"y\":7},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"title\":\"Healthy Host Count\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":37,\"x\":11,\"y\":11},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"title\":\"Latency in Seconds\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"7\",\"w\":23,\"x\":0,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"title\":\"HTTP Backend 4XX Errors\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"8\",\"w\":23,\"x\":0,\"y\":23},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Backend Connection Errors\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":25,\"x\":23,\"y\":23},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"title\":\"HTTP Backend 2XX\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] ELB Overview", - "version": 1 - }, - "id": "aws-e74bf320-b3ce-11e9-87a4-078dbbae220d", - "references": [ - { - "id": "aws-b9703dd0-b3c9-11e9-87a4-078dbbae220d", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-d560de70-b3c7-11e9-87a4-078dbbae220d", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-6fc1efd0-b3c9-11e9-87a4-078dbbae220d", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-6392bc30-b3c9-11e9-87a4-078dbbae220d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-b2ea15a0-b3c7-11e9-87a4-078dbbae220d", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-21f30090-b3ca-11e9-87a4-078dbbae220d", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-572d40e0-b3ca-11e9-87a4-078dbbae220d", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-1f528f50-b3ce-11e9-87a4-078dbbae220d", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/dashboard/aws-fac28650-7349-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/dashboard/aws-fac28650-7349-11e9-816b-07687310a99a.json deleted file mode 100755 index e0f0fd8a36..0000000000 --- a/packages/aws/0.5.4/kibana/dashboard/aws-fac28650-7349-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of AWS Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":10,\"x\":9,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"4\",\"w\":29,\"x\":19,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":7},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":9,\"x\":9,\"y\":7},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":15,\"x\":18,\"y\":7},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"10\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"12\",\"w\":13,\"x\":0,\"y\":14},\"panelIndex\":\"12\",\"panelRefName\":\"panel_7\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"14\",\"w\":20,\"x\":13,\"y\":14},\"panelIndex\":\"14\",\"panelRefName\":\"panel_8\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"15\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"15\",\"panelRefName\":\"panel_9\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"17\",\"w\":16,\"x\":15,\"y\":21},\"panelIndex\":\"17\",\"panelRefName\":\"panel_10\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"18\",\"w\":15,\"x\":0,\"y\":21},\"panelIndex\":\"18\",\"panelRefName\":\"panel_11\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"19\",\"w\":17,\"x\":31,\"y\":21},\"panelIndex\":\"19\",\"panelRefName\":\"panel_12\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"24\",\"panelRefName\":\"panel_13\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":9,\"i\":\"25\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"25\",\"panelRefName\":\"panel_14\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics AWS] Overview", - "version": 1 - }, - "id": "aws-fac28650-7349-11e9-816b-07687310a99a", - "references": [ - { - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "aws-09db13f0-2bdd-11e9-9fe1-cde861544141", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "aws-be8828d0-f7f6-11e8-af03-c999c9dea608", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "aws-81d83c70-4762-11e9-8062-c98a86cb6f94", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "aws-58e17c10-7349-11e9-816b-07687310a99a", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "aws-4658f540-734a-11e9-816b-07687310a99a", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "aws-95b322f0-734a-11e9-816b-07687310a99a", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "aws-b2191dd0-734c-11e9-816b-07687310a99a", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "aws-42016bf0-728f-11e9-9a7b-4d62d5bcf4fc", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "aws-9121ac90-734d-11e9-816b-07687310a99a", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "aws-128fd450-734e-11e9-816b-07687310a99a", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "aws-54e88a40-734e-11e9-816b-07687310a99a", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "aws-398d12d0-7352-11e9-816b-07687310a99a", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "aws-4bf62a10-8310-11e9-ac83-47df3568ff90", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "aws-d2f46190-830f-11e9-ac83-47df3568ff90", - "name": "panel_14", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/map/aws-0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/map/aws-0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 10566d8413..0000000000 --- a/packages/aws/0.5.4/kibana/map/aws-0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "bounds": { - "coordinates": [ - [ - [ - -14.38966, - 60.11526 - ], - [ - -14.38966, - 39.61205 - ], - [ - 41.72167, - 39.61205 - ], - [ - 41.72167, - 60.11526 - ], - [ - -14.38966, - 60.11526 - ] - ] - ], - "type": "Polygon" - }, - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"19047c4c-18d7-4aec-b0ce-98de2828244d\",\"label\":\"Hits\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"1d457cd4-01be-4f96-95fd-af4ac535ebea\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"geoField\":\"source.geo.location\",\"id\":\"1e82f50f-424a-4718-905b-ad45db14db62\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"requestType\":\"point\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Blues\",\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":32,\"minSize\":4},\"type\":\"DYNAMIC\"},\"lineColor\":{\"options\":{\"color\":\"#167a6d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":50.97903,\"lon\":13.666},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"aws.elb_logs\"},\"type\":\"phrase\",\"value\":\"elb\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"aws.elb_logs\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":3.9}", - "title": "ELB Requests Geolocation [Logs AWS]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "id": "aws-0edf0640-3e7e-11ea-bb0a-69c3ca1d410f", - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/map/aws-513a3d70-4482-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/map/aws-513a3d70-4482-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index 4e4139e0d4..0000000000 --- a/packages/aws/0.5.4/kibana/map/aws-513a3d70-4482-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "bounds": { - "coordinates": [ - [ - [ - -180, - 85.05113 - ], - [ - -180, - -85.05113 - ], - [ - 180, - -85.05113 - ], - [ - 180, - 85.05113 - ], - [ - -180, - 85.05113 - ] - ] - ], - "type": "Polygon" - }, - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"destination.geo.location\",\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#1EA593\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#167a6d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#f00f0b\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":5},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#7a1a18\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-108.92402},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"zoom\":0.47}", - "title": "VPC Flow Action Geo Location[Logs AWS]", - "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}" - }, - "id": "aws-513a3d70-4482-11ea-ad63-791a5dc86f10", - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_2_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/map/aws-dae24080-739a-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/map/aws-dae24080-739a-11ea-a345-f985c61fe654.json deleted file mode 100755 index 077ff70859..0000000000 --- a/packages/aws/0.5.4/kibana/map/aws-dae24080-739a-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "bounds": { - "coordinates": [ - [ - [ - -180, - 74.14342 - ], - [ - -180, - -58.35006 - ], - [ - 180, - -58.35006 - ], - [ - 180, - 74.14342 - ], - [ - -180, - 74.14342 - ] - ] - ], - "type": "Polygon" - }, - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"2c7b49fb-3fb5-4e18-b27f-fabe930971f3\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a10fa758-30ad-4e2a-bf9d-472e133a7f17\",\"joins\":[],\"label\":\"CloudTrail Soure Location\",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:aws.cloudtrail\"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":true,\"geoField\":\"source.geo.location\",\"id\":\"7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":1.97}", - "title": "CloudTrail Source Location [Logs AWS]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "id": "aws-dae24080-739a-11ea-a345-f985c61fe654", - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/search/aws-30ccde50-7397-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/search/aws-30ccde50-7397-11ea-a345-f985c61fe654.json deleted file mode 100755 index 7e2af6a998..0000000000 --- a/packages/aws/0.5.4/kibana/search/aws-30ccde50-7397-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.id", - "event.provider", - "aws.cloudtrail.event_type", - "event.action", - "event.outcome", - "source.address", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"aws.cloudtrail\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"aws.cloudtrail\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "CloudTrail Events [Logs AWS]", - "version": 1 - }, - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json b/packages/aws/0.5.4/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json deleted file mode 100755 index 1d282af030..0000000000 --- a/packages/aws/0.5.4/kibana/search/aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "aws.s3access.http_status", - "aws.s3access.error_code", - "aws.s3access.operation", - "aws.s3access.request_uri" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"aws.s3access.http_status\",\"negate\":true,\"params\":{\"query\":\"200\"},\"type\":\"phrase\",\"value\":\"200\"},\"query\":{\"match\":{\"aws.s3access.http_status\":{\"query\":\"200\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"aws.s3access\"},\"type\":\"phrase\",\"value\":\"s3access\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"aws.s3access\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Error Logs [Logs AWS]", - "version": 1 - }, - "id": "aws-5e5a3c90-bac0-11e9-9f70-1f7bda85a5eb", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index 15275ae7cd..0000000000 --- a/packages/aws/0.5.4/kibana/search/aws-c1aee600-4487-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "source.port", - "event.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"aws.vpcflow\"},\"type\":\"phrase\",\"value\":\"vpcflow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"aws.vpcflow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"aws.vpcflow.action\",\"negate\":false,\"params\":{\"query\":\"REJECT\"},\"type\":\"phrase\",\"value\":\"REJECT\"},\"query\":{\"match\":{\"aws.vpcflow.action\":{\"query\":\"REJECT\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "VPC Flow Reject Logs [Logs AWS]", - "version": 1 - }, - "id": "aws-c1aee600-4487-11ea-ad63-791a5dc86f10", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-007ceec0-694c-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-007ceec0-694c-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0537c808aa..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-007ceec0-694c-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Packets Drop Count No Route [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.PacketDropCountNoRoute.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Packets Drop Count No Route [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-007ceec0-694c-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-00b29040-921d-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-00b29040-921d-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 28f083eaac..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-00b29040-921d-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Transaction Blocked [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(164,221,0,1)\",\"id\":\"27aaf910-d978-11e9-aff2-99c15d8b7da1\",\"operator\":\"lte\",\"value\":0},{\"color\":\"rgba(244,78,59,1)\",\"id\":\"3526a9e0-d978-11e9-aff2-99c15d8b7da1\",\"operator\":\"gt\",\"value\":0}],\"bar_color_rules\":[{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":\"\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Transaction Blocked\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.rds.transactions.blocked\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"metric\"},\"title\":\"RDS Transaction Blocked [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-00b29040-921d-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-01ed5990-694a-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-01ed5990-694a-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index e14cd8752b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-01ed5990-694a-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Bytes Drop Count No Route [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.BytesDropCountNoRoute.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Bytes Drop Count No Route [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-01ed5990-694a-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-08645080-6891-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-08645080-6891-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index c9c6e49f3d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-08645080-6891-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Packet Out To Destination [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.PacketsOutToDestination.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Packet Out To Destination [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-08645080-6891-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-09857a20-180f-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-09857a20-180f-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 508a687e3e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-09857a20-180f-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Notifications Failed To Redrive To DLQ [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Notifications Failed To Redrive To DLQ\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsFailedToRedriveToDlq.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Notifications Failed To Redrive To DLQ [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-09857a20-180f-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-09db13f0-2bdd-11e9-9fe1-cde861544141.json b/packages/aws/0.5.4/kibana/visualization/aws-09db13f0-2bdd-11e9-9fe1-cde861544141.json deleted file mode 100755 index 44b984c05f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-09db13f0-2bdd-11e9-9fe1-cde861544141.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 Instance State [Metrics AWS]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"16\":\"#629E51\",\"272\":\"#DEDAF7\",\"80\":\"#E24D42\",\"running\":\"#7EB26D\",\"stopped\":\"#E24D42\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"EC2 Instance State\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"aws.ec2.instance.state.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"EC2 Instance State [Metrics AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-09db13f0-2bdd-11e9-9fe1-cde861544141", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-0a36b590-694c-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-0a36b590-694c-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 4d2c3c191e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-0a36b590-694c-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Packets In [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.PacketsIn.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Packets In [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-0a36b590-694c-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-0f056420-739e-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-0f056420-739e-11ea-a345-f985c61fe654.json deleted file mode 100755 index 9a46d5b9bc..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-0f056420-739e-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail Event Type [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"CloudTrail Event Type\",\"field\":\"aws.cloudtrail.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"CloudTrail Event Type [Logs AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-0f056420-739e-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-10e0f270-694c-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-10e0f270-694c-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 8fe776a2b6..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-10e0f270-694c-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Packets Out [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.PacketsOut.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Packets Out [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-10e0f270-694c-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-1235fe50-41e7-11e9-b7a0-c99d9d127b61.json b/packages/aws/0.5.4/kibana/visualization/aws-1235fe50-41e7-11e9-b7a0-c99d9d127b61.json deleted file mode 100755 index 2754b4156c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-1235fe50-41e7-11e9-b7a0-c99d9d127b61.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Received [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"1ccb6710-43b3-11e9-8c70-d17a67455a84\"}],\"bar_color_rules\":[{\"id\":\"57cc0200-43b5-11e9-84e9-a97a63579915\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.received\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"SQS Messages Received [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-1235fe50-41e7-11e9-b7a0-c99d9d127b61", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-128fd450-734e-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-128fd450-734e-11e9-816b-07687310a99a.json deleted file mode 100755 index 08012ce2fe..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-128fd450-734e-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch Lambda Invocations Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cbb498f0-734c-11e9-a683-47ca322fa6f9\"}],\"bar_color_rules\":[{\"id\":\"94f2ce40-734c-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Lambda Invocations\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.lambda.metrics.Invocations\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS Cloudwatch Lambda Invocations Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-128fd450-734e-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-12eff7e0-b7b9-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-12eff7e0-b7b9-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index be3af1637e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-12eff7e0-b7b9-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Total Read Time [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Total Read Time\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeTotalReadTime.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Total Read Time [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-12eff7e0-b7b9-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-13e624c0-180e-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-13e624c0-180e-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 0122e580d0..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-13e624c0-180e-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Messages and Notifications [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Messages Published\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfMessagesPublished.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"204ff2b0-1b77-11ea-9357-231d0e09a8a9\",\"label\":\"Notifications Delivered\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsDelivered.sum\",\"id\":\"204ff2b1-1b77-11ea-9357-231d0e09a8a9\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"204ff2b1-1b77-11ea-9357-231d0e09a8a9\",\"type\":\"timeseries\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"32e925e0-1b77-11ea-9357-231d0e09a8a9\",\"label\":\"Notifications Failed\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsFailed.sum\",\"id\":\"32e925e1-1b77-11ea-9357-231d0e09a8a9\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"32e925e1-1b77-11ea-9357-231d0e09a8a9\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Messages and Notifications [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-13e624c0-180e-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-142ad600-693b-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-142ad600-693b-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 8c88b21406..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-142ad600-693b-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data State [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"05e19c00-693b-11ea-8bb6-25461aeac3d5\"}],\"bar_color_rules\":[{\"id\":\"fdd5ac40-693a-11ea-8bb6-25461aeac3d5\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelState.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VpnId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\"},\"title\":\"VPN Tunnel Data State [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-142ad600-693b-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-15818fd0-f7f9-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-15818fd0-f7f9-11e8-af03-c999c9dea608.json deleted file mode 100755 index 8fc2754da1..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-15818fd0-f7f9-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 Network In Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS EC2 Network In Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.network.in.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS EC2 Network In Bytes\",\"type\":\"metrics\"}" - }, - "id": "aws-15818fd0-f7f9-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-17fcda50-921b-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-17fcda50-921b-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 79a82abb0d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-17fcda50-921b-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Database Connections [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"10bc2760-d978-11e9-aff2-99c15d8b7da1\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Database Connections\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.rds.database_connections\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"metric\"},\"title\":\"RDS Database Connections [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-17fcda50-921b-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-1f3f00c0-28d1-11ea-ba6c-49a884eb104f.json b/packages/aws/0.5.4/kibana/visualization/aws-1f3f00c0-28d1-11ea-ba6c-49a884eb104f.json deleted file mode 100755 index 7f604daa6c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-1f3f00c0-28d1-11ea-ba6c-49a884eb104f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Lambda Top Invoked Functions [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":0,\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"fbf0eac0-28d0-11ea-8789-f72e3366fb25\"}],\"bar_color_rules\":[{\"id\":\"f679afa0-28d0-11ea-8789-f72e3366fb25\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ca2e4c60-28cd-11ea-822d-3ba2c0089081\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"ca2e4c61-28cd-11ea-822d-3ba2c0089081\",\"label\":\"avg(aws.metrics.Duration.avg)\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.lambda.metrics.Invocations.avg\",\"id\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"max\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"timeseries\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Lambda Top Invoked Functions [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-1f3f00c0-28d1-11ea-ba6c-49a884eb104f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-1f528f50-b3ce-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-1f528f50-b3ce-11e9-87a4-078dbbae220d.json deleted file mode 100755 index 4aa7ed0e25..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-1f528f50-b3ce-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP Backend 2XX [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"HTTP Backend 2XX\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.HTTPCode_Backend_2XX.sum\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP Backend 2XX [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-1f528f50-b3ce-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-219c1850-3e82-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-219c1850-3e82-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 7c5342245e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-219c1850-3e82-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP 2xx [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(164,221,0,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" and http.response.status_code \\u003e= 200 and http.response.status_code\\t\\u003c 300\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"HTTP 2xx\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP 2xx [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-219c1850-3e82-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-21f30090-b3ca-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-21f30090-b3ca-11e9-87a4-078dbbae220d.json deleted file mode 100755 index 1a972f16e1..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-21f30090-b3ca-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP Backend 4XX Errors [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"HTTP Backend 4XX Errors\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.HTTPCode_Backend_4XX.sum\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP Backend 4XX Errors [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-21f30090-b3ca-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-233b3400-f7f9-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-233b3400-f7f9-11e8-af03-c999c9dea608.json deleted file mode 100755 index 1e2a8de017..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-233b3400-f7f9-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 Network Out Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS EC2 Network Out Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.network.out.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS EC2 Network Out Bytes\",\"type\":\"metrics\"}" - }, - "id": "aws-233b3400-f7f9-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-247e2990-4699-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/visualization/aws-247e2990-4699-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index 9e70fa30b3..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-247e2990-4699-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Bucket Name Filter [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"aws.s3.bucket.name\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"S3 Bucket Names\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"S3 Bucket Name Filter [Logs AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-247e2990-4699-11ea-ad63-791a5dc86f10", - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-25384bf0-b7b9-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-25384bf0-b7b9-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 5051f36f7a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-25384bf0-b7b9-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Total Write Time [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Total Write Time\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeTotalWriteTime.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Total Write Time [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-25384bf0-b7b9-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-26b73e50-6943-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-26b73e50-6943-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index bfe1552e86..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-26b73e50-6943-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data Out Per VPN ID [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelDataOut.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VpnId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"VPN Tunnel Data Out Per VPN ID [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-26b73e50-6943-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-2929edb0-178e-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/visualization/aws-2929edb0-178e-11ea-8650-fb606deb5be4.json deleted file mode 100755 index c4c9bc8666..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-2929edb0-178e-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "AWS Service Filter [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"aws.dimensions.Service\",\"id\":\"1549397251041\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"service name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"AWS Service Filter [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-2929edb0-178e-11ea-8650-fb606deb5be4", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-2b2d58b0-4762-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-2b2d58b0-4762-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index 02be446035..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-2b2d58b0-4762-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Request Latency Total Request in ms [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"c0d11b00-4761-11e9-bf81-69a4e579cab5\"}],\"bar_color_rules\":[{\"id\":\"67cb0930-4761-11e9-bf81-69a4e579cab5\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"6eafde10-4761-11e9-bf81-69a4e579cab5\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1d\",\"isModelInvalid\":false,\"pivot_id\":\"aws.s3.bucket.name\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"color_rules\":[{\"id\":\"ac2ef870-4761-11e9-bf81-69a4e579cab5\"}],\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Latency in ms\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_request.latency.total_request.ms\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.s3.bucket.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"S3 Request Latency Total Request in ms [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-2b2d58b0-4762-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-2dbb8f90-4760-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-2dbb8f90-4760-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index 636ba7f91a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-2dbb8f90-4760-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Daily Storage Bucket Size in Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"f679e680-475f-11e9-a9de-e776805ecfc9\"}],\"bar_color_rules\":[{\"id\":\"f703aff0-475f-11e9-a9de-e776805ecfc9\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"f8388670-475f-11e9-a9de-e776805ecfc9\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_daily_storage.bucket.size.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.s3.bucket.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"S3 Daily Storage Bucket Size in Bytes [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-2dbb8f90-4760-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-2ee7f420-6943-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-2ee7f420-6943-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index fe7dce234c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-2ee7f420-6943-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data In Per VPN ID [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelDataIn.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VpnId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"VPN Tunnel Data In Per VPN ID [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-2ee7f420-6943-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-31a4ea90-152b-11ea-841c-01bf20a6c8ba.json b/packages/aws/0.5.4/kibana/visualization/aws-31a4ea90-152b-11ea-841c-01bf20a6c8ba.json deleted file mode 100755 index 2a7a8a0f25..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-31a4ea90-152b-11ea-841c-01bf20a6c8ba.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top 10 Billing per Service Name [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":0,\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"729af8b0-152a-11ea-ae8f-79fec1a0d4d3\",\"index_pattern\":\"metrics-*\",\"interval\":\"12h\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"729b1fc0-152a-11ea-ae8f-79fec1a0d4d3\",\"label\":\"avg(aws.billing.metrics.EstimatedCharges.max)\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.billing.metrics.EstimatedCharges.max\",\"id\":\"729b1fc1-152a-11ea-ae8f-79fec1a0d4d3\",\"type\":\"sum\"}],\"override_index_pattern\":0,\"point_size\":\"4\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.ServiceName\",\"terms_include\":\"\",\"terms_order_by\":\"729b1fc1-152a-11ea-ae8f-79fec1a0d4d3\",\"terms_size\":\"10\",\"type\":\"timeseries\",\"value_template\":\"${{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Top 10 Billing per Service Name [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-31a4ea90-152b-11ea-841c-01bf20a6c8ba", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-31ad4090-2003-11ea-8f72-2f8d21e50b0c.json b/packages/aws/0.5.4/kibana/visualization/aws-31ad4090-2003-11ea-8f72-2f8d21e50b0c.json deleted file mode 100755 index 6d2d5308ad..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-31ad4090-2003-11ea-8f72-2f8d21e50b0c.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "DynamoDB Account Provisioned Capacity Utilization [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Write Utilization\",\"field\":\"aws.dynamodb.metrics.AccountProvisionedWriteCapacityUtilization.avg\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Read Utilization\",\"field\":\"aws.dynamodb.metrics.AccountProvisionedReadCapacityUtilization.avg\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"label\":\"@timestamp per 30 seconds\",\"params\":{\"bounds\":{\"max\":\"2020-04-10T10:29:58.462Z\",\"min\":\"2020-04-10T10:14:58.462Z\"},\"date\":true,\"format\":\"HH:mm:ss\",\"interval\":\"PT30S\",\"intervalESUnit\":\"s\",\"intervalESValue\":30}},\"y\":[{\"accessor\":1,\"aggType\":\"max\",\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Write Utilization\",\"params\":{}},{\"accessor\":2,\"aggType\":\"max\",\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Read Utilization\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Write Utilization\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Read Utilization\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#34130C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Write Utilization\"},\"type\":\"value\"}]},\"title\":\"DynamoDB Account Provisioned Capacity Utilization [Metrics AWS]\",\"type\":\"line\"}" - }, - "id": "aws-31ad4090-2003-11ea-8f72-2f8d21e50b0c", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-396089c0-7399-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-396089c0-7399-11ea-a345-f985c61fe654.json deleted file mode 100755 index c4a73a11c5..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-396089c0-7399-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "event.action values separated by event.provider.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail Actions [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.provider\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"CloudTrail Actions [Logs AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-396089c0-7399-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-398d12d0-7352-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-398d12d0-7352-11e9-816b-07687310a99a.json deleted file mode 100755 index 2ef8ba286d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-398d12d0-7352-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch Lambda Throttles Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cbb498f0-734c-11e9-a683-47ca322fa6f9\"}],\"bar_color_rules\":[{\"id\":\"94f2ce40-734c-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Lambda Throttles\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.lambda.metrics.Throttles\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS Cloudwatch Lambda Throttles Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-398d12d0-7352-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-39dfc8d0-28cf-11ea-ba6c-49a884eb104f.json b/packages/aws/0.5.4/kibana/visualization/aws-39dfc8d0-28cf-11ea-ba6c-49a884eb104f.json deleted file mode 100755 index 35d18103f5..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-39dfc8d0-28cf-11ea-ba6c-49a884eb104f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Lambda Duration in Milliseconds [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":0,\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ca2e4c60-28cd-11ea-822d-3ba2c0089081\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"ca2e4c61-28cd-11ea-822d-3ba2c0089081\",\"label\":\"avg(aws.metrics.Duration.avg)\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.lambda.metrics.Duration.avg\",\"id\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"avg\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"timeseries\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Lambda Duration in Milliseconds [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-39dfc8d0-28cf-11ea-ba6c-49a884eb104f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-3a3914d0-4761-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-3a3914d0-4761-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index e9dcc02bca..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-3a3914d0-4761-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Daily Storage Number of Objects [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"167ea870-4761-11e9-bf81-69a4e579cab5\"}],\"bar_color_rules\":[{\"id\":\"01dad830-4761-11e9-bf81-69a4e579cab5\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_daily_storage.number_of_objects\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.s3.bucket.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"S3 Daily Storage Number of Objects [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-3a3914d0-4761-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-3dee68c0-7b0c-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-3dee68c0-7b0c-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index f543463ca7..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-3dee68c0-7b0c-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Max Request Latency Per Operation [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Max Request Latency Per Operation\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.SuccessfulRequestLatency.max\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"max\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.Operation\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Max Request Latency Per Operation [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-3dee68c0-7b0c-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-415fed40-694f-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-415fed40-694f-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index bbf1f29631..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-415fed40-694f-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TransitGateway Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.account.name\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"account name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.region\",\"id\":\"1584478324642\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.dimensions.TransitGateway\",\"id\":\"1584479118709\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"transit gateway\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"TransitGateway Filters [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-415fed40-694f-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-42016bf0-728f-11e9-9a7b-4d62d5bcf4fc.json b/packages/aws/0.5.4/kibana/visualization/aws-42016bf0-728f-11e9-9a7b-4d62d5bcf4fc.json deleted file mode 100755 index 5780d452d9..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-42016bf0-728f-11e9-9a7b-4d62d5bcf4fc.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch ELB Latency [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS Cloudwatch ELB Latency\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.elb.metrics.Latency\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS Cloudwatch ELB Latency\",\"type\":\"metrics\"}" - }, - "id": "aws-42016bf0-728f-11e9-9a7b-4d62d5bcf4fc", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-4658f540-734a-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-4658f540-734a-11e9-816b-07687310a99a.json deleted file mode 100755 index 7b987f435a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-4658f540-734a-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Empty Receives Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"23be77d0-734a-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS SQS Empty Receives\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.empty_receives\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS SQS Empty Receives Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-4658f540-734a-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-49379b70-7b07-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-49379b70-7b07-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index ff7b2a2d9b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-49379b70-7b07-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Consumed Write Capacity Units [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"43e58670-7b05-11ea-8ef8-01625a2f68ac\"}],\"bar_color_rules\":[{\"id\":\"3c733ea0-7b05-11ea-8ef8-01625a2f68ac\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"499c62a0-7b05-11ea-8ef8-01625a2f68ac\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Consumed Write Capacity Units\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.ConsumedWriteCapacityUnits.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"offset_time\":\"\",\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Consumed Write Capacity Units [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-49379b70-7b07-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-4bf0a740-28d1-11ea-ba6c-49a884eb104f.json b/packages/aws/0.5.4/kibana/visualization/aws-4bf0a740-28d1-11ea-ba6c-49a884eb104f.json deleted file mode 100755 index 0928f48b7a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-4bf0a740-28d1-11ea-ba6c-49a884eb104f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Lambda Top Errors [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":0,\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"fbf0eac0-28d0-11ea-8789-f72e3366fb25\"}],\"bar_color_rules\":[{\"id\":\"f679afa0-28d0-11ea-8789-f72e3366fb25\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"3eabbde0-28d1-11ea-8789-f72e3366fb25\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ca2e4c60-28cd-11ea-822d-3ba2c0089081\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"ca2e4c61-28cd-11ea-822d-3ba2c0089081\",\"label\":\"avg(aws.metrics.Duration.avg)\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.lambda.metrics.Errors.avg\",\"id\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"max\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"timeseries\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Lambda Top Errors [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-4bf0a740-28d1-11ea-ba6c-49a884eb104f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-4bf62a10-8310-11e9-ac83-47df3568ff90.json b/packages/aws/0.5.4/kibana/visualization/aws-4bf62a10-8310-11e9-ac83-47df3568ff90.json deleted file mode 100755 index f0423f63a8..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-4bf62a10-8310-11e9-ac83-47df3568ff90.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch CPU Available [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"bb21d180-830d-11e9-9c4c-391fa0a2e15f\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(aws.cloudwatch.namespace:\\\"AWS/ECS\\\") AND (_exists_: aws.ecs.metrics.CPUReservation) AND (_exists_: aws.ecs.metrics.CPUUtilization)\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ecs.metrics.CPUUtilization\",\"id\":\"17f8ddf0-830d-11e9-9f3d-ed346f48a007\",\"type\":\"sum\"},{\"field\":\"aws.ecs.metrics.CPUReservation\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"},{\"id\":\"68a93050-830e-11e9-9c4c-391fa0a2e15f\",\"script\":\"(params.res - params.util) / 100\",\"type\":\"math\",\"variables\":[{\"field\":\"17f8ddf0-830d-11e9-9f3d-ed346f48a007\",\"id\":\"6f338920-830e-11e9-9c4c-391fa0a2e15f\",\"name\":\"util\"},{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"7ab9f9a0-830e-11e9-9c4c-391fa0a2e15f\",\"name\":\"res\"}]}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.ClusterName\",\"terms_order_by\":\"_key\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"AWS Cloudwatch CPU Available\",\"type\":\"metrics\"}" - }, - "id": "aws-4bf62a10-8310-11e9-ac83-47df3568ff90", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-4c23e4c0-739a-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-4c23e4c0-739a-11ea-a345-f985c61fe654.json deleted file mode 100755 index 8019e9b8b9..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-4c23e4c0-739a-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail Event Outcome over time [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"CloudTrail Event Outcome over time [Logs AWS]\",\"type\":\"area\"}" - }, - "id": "aws-4c23e4c0-739a-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-53730d20-437e-11e9-8697-530f39afc6eb.json b/packages/aws/0.5.4/kibana/visualization/aws-53730d20-437e-11e9-8697-530f39afc6eb.json deleted file mode 100755 index 1c1f59f934..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-53730d20-437e-11e9-8697-530f39afc6eb.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Oldest Message Age in Seconds [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"3e3d3610-437e-11e9-a35d-972620e4f790\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS SQS Oldest Message Age in Seconds\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.oldest_message_age.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"max\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"SQS Oldest Message Age in Seconds [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-53730d20-437e-11e9-8697-530f39afc6eb", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-54e88a40-734e-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-54e88a40-734e-11e9-816b-07687310a99a.json deleted file mode 100755 index 3140f9bb32..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-54e88a40-734e-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch Lambda Errors Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cbb498f0-734c-11e9-a683-47ca322fa6f9\"}],\"bar_color_rules\":[{\"id\":\"94f2ce40-734c-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Lambda Errors\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.lambda.metrics.Errors\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS Cloudwatch Lambda Errors Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-54e88a40-734e-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-572d40e0-b3ca-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-572d40e0-b3ca-11e9-87a4-078dbbae220d.json deleted file mode 100755 index d4a4d4213c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-572d40e0-b3ca-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Backend Connection Errors [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":\"00\",\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"Backend Connection Errors\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.BackendConnectionErrors.sum\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB Backend Connection Errors [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-572d40e0-b3ca-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-58e17c10-7349-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-58e17c10-7349-11e9-816b-07687310a99a.json deleted file mode 100755 index 4ce4d4456c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-58e17c10-7349-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Total Error 5xx [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"59207fe0-4762-11e9-bf81-69a4e579cab5\"}],\"bar_color_rules\":[{\"id\":\"5ad9a190-4762-11e9-bf81-69a4e579cab5\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total # of HTTP 5xx Errors\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_request.errors.5xx\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"AWS S3 Total Error 5xx\",\"type\":\"metrics\"}" - }, - "id": "aws-58e17c10-7349-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-58f5a3c0-6943-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-58f5a3c0-6943-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0f8eb5199f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-58f5a3c0-6943-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data State Per Tunnel IP [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"05e19c00-693b-11ea-8bb6-25461aeac3d5\"}],\"bar_color_rules\":[{\"id\":\"fdd5ac40-693a-11ea-8bb6-25461aeac3d5\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelState.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TunnelIpAddress\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\"},\"title\":\"VPN Tunnel Data State Per Tunnel IP [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-58f5a3c0-6943-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-59defc90-17a5-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-59defc90-17a5-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 76ac999b2e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-59defc90-17a5-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Topic Name Filter [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"aws.dimensions.TopicName\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"topic name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"SNS Topic Name Filter [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-59defc90-17a5-11ea-8e91-03c7047cbb9d", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-59e2e110-178d-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/visualization/aws-59e2e110-178d-11ea-8650-fb606deb5be4.json deleted file mode 100755 index e86976c2f9..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-59e2e110-178d-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Usage Resource Count Per Service [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.dimensions.Type : \\\"Resource\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.usage.metrics.ResourceCount.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.Service\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Usage Resource Count Per Service [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-59e2e110-178d-11ea-8650-fb606deb5be4", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-5c93cd10-bac3-11e9-9f70-1f7bda85a5eb.json b/packages/aws/0.5.4/kibana/visualization/aws-5c93cd10-bac3-11e9-9f70-1f7bda85a5eb.json deleted file mode 100755 index fd7f329970..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-5c93cd10-bac3-11e9-9f70-1f7bda85a5eb.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Http Status over time [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:aws.s3access\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Http Status\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.s3access.http_status \\u003c 300 and aws.s3access.http_status \\u003e= 200\"},\"id\":\"5acdc750-a29d-11e7-a062-a1c3587f4874\",\"label\":\"200s\"},{\"color\":\"rgba(252,196,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.s3access.http_status \\u003c 400 and aws.s3access.http_status \\u003e= 300\"},\"id\":\"6efd2ae0-a29d-11e7-a062-a1c3587f4874\",\"label\":\"300s\"},{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.s3access.http_status \\u003c 500 and aws.s3access.http_status \\u003e= 400\"},\"id\":\"76089a90-a29d-11e7-a062-a1c3587f4874\",\"label\":\"400s\"},{\"color\":\"rgba(171,20,158,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.s3access.http_status \\u003c 600 and aws.s3access.http_status \\u003e= 500\"},\"id\":\"7c7929d0-a29d-11e7-a062-a1c3587f4874\",\"label\":\"500s\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"http.response.status_code\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Http Status over time [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-5c93cd10-bac3-11e9-9f70-1f7bda85a5eb", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-6392bc30-b3c9-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-6392bc30-b3c9-11e9-87a4-078dbbae220d.json deleted file mode 100755 index ce16853c1c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-6392bc30-b3c9-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Healthy Host Count [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(104,188,0,1)\",\"color\":\"rgba(255,255,255,1)\",\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\",\"operator\":\"gt\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"Healthy Host Count\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.HealthyHostCount.max\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"max\"}],\"point_size\":0,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.AvailabilityZone\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"ELB Healthy Host Count [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-6392bc30-b3c9-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-67f43080-b7b9-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-67f43080-b7b9-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 665436cb63..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-67f43080-b7b9-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Idle Time [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_min\":\"0\",\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,1\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Idle Time\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeIdleTime.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Idle Time [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-67f43080-b7b9-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-681aab60-178c-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/visualization/aws-681aab60-178c-11ea-8650-fb606deb5be4.json deleted file mode 100755 index 4db789860f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-681aab60-178c-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Usage CallCount [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"aws.usage.metrics.CallCount.sum\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"aws.dimensions.Type : \\\"API\\\" \"},\"label\":\"\"}],\"row\":true},\"schema\":\"split\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"aws.dimensions.Service\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"aws.dimensions.Resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":3,\"aggType\":\"sum\",\"format\":{\"id\":\"number\"},\"params\":{}},\"splitRow\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}]},\"isDonut\":true,\"labels\":{\"last_level\":false,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Usage CallCount [Metrics AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-681aab60-178c-11ea-8650-fb606deb5be4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-68970b10-6890-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-68970b10-6890-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 286009aedf..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-68970b10-6890-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Connection Established [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"Total Connections Established\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.ConnectionEstablishedCount.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"sum\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"metric\"},\"title\":\"NATGateway Connection Established [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-68970b10-6890-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-6e3285d0-4763-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-6e3285d0-4763-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index 6b2d4a0a7a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-6e3285d0-4763-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.region\",\"id\":\"1549397251041\",\"indexPattern\":\"metrics-*\",\"label\":\"region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.s3.bucket.name\",\"id\":\"1549512142947\",\"indexPattern\":\"metrics-*\",\"label\":\"s3 bucket name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"AWS S3 Filters\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-6e3285d0-4763-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-6f7f7680-180c-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-6f7f7680-180c-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index d9feeec45e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-6f7f7680-180c-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Publish Size [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Publish Size\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.PublishSize.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Publish Size [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-6f7f7680-180c-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-6fc1efd0-b3c9-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-6fc1efd0-b3c9-11e9-87a4-078dbbae220d.json deleted file mode 100755 index 173b85bf99..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-6fc1efd0-b3c9-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Unhealthy Host Count [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(244,78,59,1)\",\"color\":\"rgba(255,255,255,1)\",\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\",\"operator\":\"gt\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"Unhealthy Host Count\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.UnHealthyHostCount.max\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"max\"}],\"point_size\":0,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.AvailabilityZone\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"ELB Unhealthy Host Count [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-6fc1efd0-b3c9-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-73970bc0-3e86-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-73970bc0-3e86-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index dd92ed487d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-73970bc0-3e86-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Top User Agents [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"29527130-3e86-11ea-9067-cf383a4ea3b3\"}],\"bar_color_rules\":[{\"id\":\"cc6d5070-3e85-11ea-9067-cf383a4ea3b3\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"gauge_color_rules\":[{\"id\":\"2b29c940-3e86-11ea-9067-cf383a4ea3b3\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"pivot_id\":\"user_agent.original\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"color_rules\":[{\"id\":\"42e14220-3e86-11ea-9067-cf383a4ea3b3\"}],\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"User Agent\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"},{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"2010cb20-3e87-11ea-9067-cf383a4ea3b3\",\"type\":\"cumulative_sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"user_agent.original\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\"},\"title\":\"ELB Top User Agents [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-73970bc0-3e86-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-749cd470-1530-11ea-841c-01bf20a6c8ba.json b/packages/aws/0.5.4/kibana/visualization/aws-749cd470-1530-11ea-841c-01bf20a6c8ba.json deleted file mode 100755 index 4ed1e99bdf..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-749cd470-1530-11ea-841c-01bf20a6c8ba.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Estimated Billing Pie Chart [Metrics AWS]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"16\":\"#629E51\",\"272\":\"#DEDAF7\",\"80\":\"#E24D42\",\"running\":\"#7EB26D\",\"stopped\":\"#E24D42\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\",\"field\":\"aws.billing.metrics.EstimatedCharges.max\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"aws.dimensions.ServiceName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"aws.billing.metrics.EstimatedCharges.max\"},\"schema\":\"orderAgg\",\"type\":\"avg\"},\"orderBy\":\"custom\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Estimated Billing Pie Chart [Metrics AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-749cd470-1530-11ea-841c-01bf20a6c8ba", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-75853f20-4484-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/visualization/aws-75853f20-4484-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index afa3188fd0..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-75853f20-4484-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VPC Flow Top IP Addresses [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"29527130-3e86-11ea-9067-cf383a4ea3b3\"}],\"bar_color_rules\":[{\"id\":\"cc6d5070-3e85-11ea-9067-cf383a4ea3b3\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"gauge_color_rules\":[{\"id\":\"2b29c940-3e86-11ea-9067-cf383a4ea3b3\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"pivot_id\":\"user_agent.original\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"color_rules\":[{\"id\":\"42e14220-3e86-11ea-9067-cf383a4ea3b3\"}],\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.vpcflow\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"IP address\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"},{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"40c52370-3e87-11ea-9067-cf383a4ea3b3\",\"type\":\"cumulative_sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern\":\"logs-*\",\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\"},\"title\":\"VPC Flow Top IP Addresses [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-75853f20-4484-11ea-ad63-791a5dc86f10", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-75ebfda0-1789-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/visualization/aws-75ebfda0-1789-11ea-8650-fb606deb5be4.json deleted file mode 100755 index a44977b5b3..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-75ebfda0-1789-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Usage Call Count Per Service [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"aws.dimensions.Type : \\\"API\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.usage.metrics.CallCount.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.Service\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Usage Call Count Per Service [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-75ebfda0-1789-11ea-8650-fb606deb5be4", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-76af8140-3e84-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-76af8140-3e84-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 1276976d76..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-76af8140-3e84-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Inbound Traffic [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB Inbound Traffic [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-76af8140-3e84-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-7b93bab0-7b0a-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-7b93bab0-7b0a-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index 6f39f785e8..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-7b93bab0-7b0a-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Read Throttle Events [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Read Throttle Events\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.ReadThrottleEvents.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"max\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Read Throttle Events [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-7b93bab0-7b0a-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-7bca4f50-739c-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-7bca4f50-739c-11ea-a345-f985c61fe654.json deleted file mode 100755 index 533e10d6e4..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-7bca4f50-739c-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail User Agents [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"CloudTrail User Agents [Logs AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-7bca4f50-739c-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-7d1e0870-7a3f-11ea-bfa4-dfea8c457654.json b/packages/aws/0.5.4/kibana/visualization/aws-7d1e0870-7a3f-11ea-bfa4-dfea8c457654.json deleted file mode 100755 index d32ad92bf8..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-7d1e0870-7a3f-11ea-bfa4-dfea8c457654.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "DynamoDB Max Read/Write Account Limits [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Reads\",\"field\":\"aws.dynamodb.metrics.AccountMaxReads.max\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Table Reads\",\"field\":\"aws.dynamodb.metrics.AccountMaxTableLevelReads.max\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Writes\",\"field\":\"aws.dynamodb.metrics.AccountMaxWrites.max\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Table Writes\",\"field\":\"aws.dynamodb.metrics.AccountMaxTableLevelWrites.max\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"aggType\":\"max\",\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Reads\",\"params\":{}},{\"accessor\":1,\"aggType\":\"max\",\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Table Reads\",\"params\":{}},{\"accessor\":2,\"aggType\":\"max\",\"format\":{\"id\":\"number\",\"params\":{\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Writes\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Reads\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Table Reads\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Writes\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Table Writes\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Account Max Reads\"},\"type\":\"value\"}]},\"title\":\"DynamoDB Max Read/Write Account Limits [Metrics AWS]\",\"type\":\"histogram\"}" - }, - "id": "aws-7d1e0870-7a3f-11ea-bfa4-dfea8c457654", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-81d83c70-4762-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-81d83c70-4762-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index d9a6847a0a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-81d83c70-4762-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Total Error 4xx [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"59207fe0-4762-11e9-bf81-69a4e579cab5\"}],\"bar_color_rules\":[{\"id\":\"5ad9a190-4762-11e9-bf81-69a4e579cab5\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total # of HTTP 4xx Errors\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_request.errors.4xx\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"AWS S3 Total Error 4xx\",\"type\":\"metrics\"}" - }, - "id": "aws-81d83c70-4762-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-8345d580-6891-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-8345d580-6891-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 56a51ba536..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-8345d580-6891-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "NATGateway Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.account.name\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"account name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.region\",\"id\":\"1584478324642\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.dimensions.NatGatewayId\",\"id\":\"1584479118709\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"NATGateway ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"NATGateway Filters [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-8345d580-6891-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-83f08eb0-1532-11ea-841c-01bf20a6c8ba.json b/packages/aws/0.5.4/kibana/visualization/aws-83f08eb0-1532-11ea-841c-01bf20a6c8ba.json deleted file mode 100755 index 04e3baf92c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-83f08eb0-1532-11ea-841c-01bf20a6c8ba.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Total Estimated Charges [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"88a80e30-1530-11ea-961e-c1db9cc6166e\"}],\"bar_color_rules\":[{\"id\":\"ebb52700-1531-11ea-961e-c1db9cc6166e\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"e8a045e0-1531-11ea-961e-c1db9cc6166e\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"12h\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"not aws.dimensions.ServiceName : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total Estimated Charges\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.billing.metrics.EstimatedCharges.max\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_interval\":\"12h\",\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\",\"time_range_mode\":\"last_value\",\"value_template\":\"${{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Total Estimated Charges [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-83f08eb0-1532-11ea-841c-01bf20a6c8ba", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-8b34a100-4762-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-8b34a100-4762-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index 11789561dd..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-8b34a100-4762-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Total Error 5xx [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"59207fe0-4762-11e9-bf81-69a4e579cab5\"}],\"bar_color_rules\":[{\"id\":\"5ad9a190-4762-11e9-bf81-69a4e579cab5\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total # of HTTP 5xx Errors\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_request.errors.5xx\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"AWS S3 Total Error 5xx\",\"type\":\"metrics\"}" - }, - "id": "aws-8b34a100-4762-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-8b8a7f80-921c-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-8b8a7f80-921c-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 30f76f4908..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-8b8a7f80-921c-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Insert Latency in Milliseconds [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28cacdf0-921c-11e9-badf-4b42bd1ef543\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"ms,ms,\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Insert Latency in Milliseconds\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.rds.latency.insert\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"RDS Insert Latency in Milliseconds [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-8b8a7f80-921c-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-8cf5fbe0-7b07-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-8cf5fbe0-7b07-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index d5bfffcc0e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-8cf5fbe0-7b07-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Successful Request Latency [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"43e58670-7b05-11ea-8ef8-01625a2f68ac\"}],\"bar_color_rules\":[{\"id\":\"3c733ea0-7b05-11ea-8ef8-01625a2f68ac\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"499c62a0-7b05-11ea-8ef8-01625a2f68ac\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Successful Request Latency\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.SuccessfulRequestLatency.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"offset_time\":\"\",\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Successful Request Latency [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-8cf5fbe0-7b07-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-8ec43590-739b-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-8ec43590-739b-11ea-a345-f985c61fe654.json deleted file mode 100755 index 59f8ffd72a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-8ec43590-739b-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail Top User IDs [Logs AWS]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User ID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"CloudTrail Top User IDs [Logs AWS]\",\"type\":\"table\"}" - }, - "id": "aws-8ec43590-739b-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9121ac90-734d-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-9121ac90-734d-11e9-816b-07687310a99a.json deleted file mode 100755 index faf1754a5d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9121ac90-734d-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch ELB Unhealthy Host Count [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cbb498f0-734c-11e9-a683-47ca322fa6f9\"}],\"bar_color_rules\":[{\"id\":\"94f2ce40-734c-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"ELB Unhealthy Host Count\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.elb.metrics.UnHealthyHostCount\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS Cloudwatch ELB Unhealthy Host Count\",\"type\":\"metrics\"}" - }, - "id": "aws-9121ac90-734d-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-915bcd50-28d1-11ea-ba6c-49a884eb104f.json b/packages/aws/0.5.4/kibana/visualization/aws-915bcd50-28d1-11ea-ba6c-49a884eb104f.json deleted file mode 100755 index cc61231977..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-915bcd50-28d1-11ea-ba6c-49a884eb104f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Lambda Top Throttles [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":0,\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"fbf0eac0-28d0-11ea-8789-f72e3366fb25\"}],\"bar_color_rules\":[{\"id\":\"f679afa0-28d0-11ea-8789-f72e3366fb25\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"3eabbde0-28d1-11ea-8789-f72e3366fb25\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ca2e4c60-28cd-11ea-822d-3ba2c0089081\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"ca2e4c61-28cd-11ea-822d-3ba2c0089081\",\"label\":\"avg(aws.metrics.Duration.avg)\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.lambda.metrics.Duration.avg\",\"id\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"max\"}],\"point_size\":\"4\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.FunctionName\",\"terms_order_by\":\"ca2e4c62-28cd-11ea-822d-3ba2c0089081\",\"type\":\"timeseries\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Lambda Top Throttles [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-915bcd50-28d1-11ea-ba6c-49a884eb104f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9202d1a0-178c-11ea-8650-fb606deb5be4.json b/packages/aws/0.5.4/kibana/visualization/aws-9202d1a0-178c-11ea-8650-fb606deb5be4.json deleted file mode 100755 index bb40091d08..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9202d1a0-178c-11ea-8650-fb606deb5be4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Usage ResourceCount [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"aws.usage.metrics.ResourceCount.sum\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"aws.dimensions.Type : \\\"Resource\\\" \"},\"label\":\"\"}],\"row\":true},\"schema\":\"split\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"aws.dimensions.Service\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"aws.dimensions.Resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":3,\"aggType\":\"sum\",\"format\":{\"id\":\"number\"},\"params\":{}},\"splitRow\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}]},\"isDonut\":true,\"labels\":{\"last_level\":false,\"show\":true,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Usage ResourceCount [Metrics AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-9202d1a0-178c-11ea-8650-fb606deb5be4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-95b322f0-734a-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-95b322f0-734a-11e9-816b-07687310a99a.json deleted file mode 100755 index 1c8749ae33..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-95b322f0-734a-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Delayed Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"23be77d0-734a-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS SQS Messages Delayed\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.delayed\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS SQS Messages Delayed Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-95b322f0-734a-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-966ae990-d979-11e9-9458-bbef63ad717b.json b/packages/aws/0.5.4/kibana/visualization/aws-966ae990-d979-11e9-9458-bbef63ad717b.json deleted file mode 100755 index 9800f0ca0b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-966ae990-d979-11e9-9458-bbef63ad717b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Disk Queue Depth [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28cacdf0-921c-11e9-badf-4b42bd1ef543\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"'0.000'\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Select Throughput Count/Second\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.rds.disk_queue_depth\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"RDS Disk Queue Depth [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-966ae990-d979-11e9-9458-bbef63ad717b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-99ffdb00-bacb-11e9-9f70-1f7bda85a5eb.json b/packages/aws/0.5.4/kibana/visualization/aws-99ffdb00-bacb-11e9-9f70-1f7bda85a5eb.json deleted file mode 100755 index 4de28a3b8d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-99ffdb00-bacb-11e9-9f70-1f7bda85a5eb.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top URLs [Logs AWS]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"404\":\"#EAB839\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Uri\",\"field\":\"aws.s3access.request_uri\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"row\":false,\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status\",\"field\":\"aws.s3access.http_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}},\"splitColumn\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}]},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Top URLs [Logs AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-99ffdb00-bacb-11e9-9f70-1f7bda85a5eb", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9bf8e1e0-6890-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-9bf8e1e0-6890-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 113a53d617..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9bf8e1e0-6890-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Packet Drop [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"Total Packets Drop\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.PacketsDropCount.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"sum\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"metric\"},\"title\":\"NATGateway Packet Drop [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-9bf8e1e0-6890-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9d284bc0-7b08-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-9d284bc0-7b08-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index ae779557db..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9d284bc0-7b08-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Consumed Read Capacity Units [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"43e58670-7b05-11ea-8ef8-01625a2f68ac\"}],\"bar_color_rules\":[{\"id\":\"3c733ea0-7b05-11ea-8ef8-01625a2f68ac\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"499c62a0-7b05-11ea-8ef8-01625a2f68ac\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Consumed Read Capacity Units\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.ConsumedReadCapacityUnits.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"offset_time\":\"\",\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Consumed Read Capacity Units [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-9d284bc0-7b08-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9e8c6030-f7f8-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-9e8c6030-f7f8-11e8-af03-c999c9dea608.json deleted file mode 100755 index 56ea22fdf0..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9e8c6030-f7f8-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 Status Check Failed [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"d13f6b50-f7f6-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"ad6d62d0-f7f7-11e8-bff8-21537b07dd44\"}],\"gauge_color_rules\":[{\"id\":\"b0c5b590-f7f7-11e8-bff8-21537b07dd44\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"EC2 Status Check Failed\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.status.check_failed\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"AWS EC2 Status Check Failed\",\"type\":\"metrics\"}" - }, - "id": "aws-9e8c6030-f7f8-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-9f0425c0-7b0a-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-9f0425c0-7b0a-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index f009df9746..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-9f0425c0-7b0a-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Throttle Requests [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Throttled Requests\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.ThrottledRequests.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"max\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Throttle Requests [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-9f0425c0-7b0a-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-abdc7480-180b-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-abdc7480-180b-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index bbb2687a17..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-abdc7480-180b-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS SMS Success Rate [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"SMS Success Rate\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.SMSSuccessRate.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS SMS Success Rate [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-abdc7480-180b-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b00c4390-b7b8-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-b00c4390-b7b8-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 784715cf3a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b00c4390-b7b8-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Read Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Read Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeReadBytes.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Read Bytes [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b00c4390-b7b8-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b0afd3e0-43b7-11e9-8697-530f39afc6eb.json b/packages/aws/0.5.4/kibana/visualization/aws-b0afd3e0-43b7-11e9-8697-530f39afc6eb.json deleted file mode 100755 index 03276419e4..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b0afd3e0-43b7-11e9-8697-530f39afc6eb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.region\",\"id\":\"1549397251041\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.sqs.queue.name\",\"id\":\"1549512142947\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"queue name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"AWS SQS Filters\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-b0afd3e0-43b7-11e9-8697-530f39afc6eb", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b2191dd0-734c-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-b2191dd0-734c-11e9-816b-07687310a99a.json deleted file mode 100755 index a68d80323e..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b2191dd0-734c-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch ELB Request Count Top5 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"94f2ce40-734c-11e9-a683-47ca322fa6f9\"}],\"default_index_pattern\":\"metrics-*\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"ELB Request Count Top5\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.elb.metrics.RequestCount\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"AWS Cloudwatch ELB Request Count Top5\",\"type\":\"metrics\"}" - }, - "id": "aws-b2191dd0-734c-11e9-816b-07687310a99a", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b2ea15a0-b3c7-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-b2ea15a0-b3c7-11e9-87a4-078dbbae220d.json deleted file mode 100755 index 73dac394b4..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b2ea15a0-b3c7-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Latency in Seconds [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"s,s,3\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"Latency in seconds\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.Latency.avg\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB Latency in Seconds [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b2ea15a0-b3c7-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b36532e0-688e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-b36532e0-688e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 8554dc74e8..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b36532e0-688e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Bytes In From Destination [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\"}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.BytesInFromDestination.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Bytes In From Destination [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b36532e0-688e-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b403f7b0-7b15-11ea-9bb4-e958b64b5685.json b/packages/aws/0.5.4/kibana/visualization/aws-b403f7b0-7b15-11ea-9bb4-e958b64b5685.json deleted file mode 100755 index 5d71f3da14..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b403f7b0-7b15-11ea-9bb4-e958b64b5685.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DynamoDB Write Throttle Events [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0.1\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Write Throttle Events\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.dynamodb.metrics.WriteThrottleEvents.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"max\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TableName\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"DynamoDB Write Throttle Events [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b403f7b0-7b15-11ea-9bb4-e958b64b5685", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b5308940-7347-11e9-816b-07687310a99a.json b/packages/aws/0.5.4/kibana/visualization/aws-b5308940-7347-11e9-816b-07687310a99a.json deleted file mode 100755 index 6d73004e60..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b5308940-7347-11e9-816b-07687310a99a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "AWS Region Filter", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.region\",\"id\":\"1549397251041\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"region name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"AWS Region Filter\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-b5308940-7347-11e9-816b-07687310a99a", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b6a308f0-3e82-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-b6a308f0-3e82-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 195aae0d0b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b6a308f0-3e82-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP 4xx [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(174,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" and http.response.status_code \\u003e= 400 and http.response.status_code \\u003c 500\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"HTTP 4xx\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP 4xx [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b6a308f0-3e82-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b7f8bf90-180f-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-b7f8bf90-180f-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index b75f7eb6b1..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b7f8bf90-180f-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS SMS Month To Date Spent USD [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"SMS Month To Date Spent USD\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.SMSMonthToDateSpentUSD.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS SMS Month To Date Spent USD [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b7f8bf90-180f-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-b9703dd0-b3c9-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-b9703dd0-b3c9-11e9-87a4-078dbbae220d.json deleted file mode 100755 index b7041e399f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-b9703dd0-b3c9-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP 5XX Errors [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"HTTP 5XX Errors\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.HTTPCode_ELB_5XX.sum\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP 5XX Errors [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-b9703dd0-b3c9-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bad8c910-4485-11ea-ad63-791a5dc86f10.json b/packages/aws/0.5.4/kibana/visualization/aws-bad8c910-4485-11ea-ad63-791a5dc86f10.json deleted file mode 100755 index 51feec8331..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bad8c910-4485-11ea-ad63-791a5dc86f10.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VPC Flow Total Requests [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color\":\"rgba(255,255,255,1)\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"right\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.vpcflow\\\" and aws.vpcflow.action : \\\"REJECT\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"REJECT\",\"line_width\":\"2\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"override_index_pattern\":1,\"point_size\":\"3\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.vpcflow.action\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.vpcflow\\\" and aws.vpcflow.action : \\\"ACCEPT\\\" \"},\"formatter\":\"number\",\"id\":\"7ec99260-4485-11ea-9ee9-2d27e9149ae8\",\"label\":\"ACCEPT\",\"line_width\":\"2\",\"metrics\":[{\"id\":\"7ec99261-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"count\"}],\"override_index_pattern\":1,\"point_size\":\"3\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.vpcflow.action\",\"terms_order_by\":\"7ec99261-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"timeseries\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(252,220,0,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.vpcflow\\\" and aws.vpcflow.action : \\\"-\\\" \"},\"formatter\":\"number\",\"id\":\"8d550580-4485-11ea-9ee9-2d27e9149ae8\",\"label\":\"-\",\"line_width\":\"2\",\"metrics\":[{\"id\":\"8d552c90-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"count\"}],\"override_index_pattern\":1,\"point_size\":\"3\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.vpcflow.action\",\"terms_order_by\":\"8d552c90-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"timeseries\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0.5\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.vpcflow\\\"\"},\"formatter\":\"number\",\"id\":\"c8c27df0-4485-11ea-9ee9-2d27e9149ae8\",\"label\":\"Total Requests\",\"line_width\":\"2\",\"metrics\":[{\"id\":\"c8c27df1-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"count\"}],\"override_index_pattern\":1,\"point_size\":\"3\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"rainbow\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.vpcflow.action\",\"terms_order_by\":\"c8c27df1-4485-11ea-9ee9-2d27e9149ae8\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"VPC Flow Total Requests [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bad8c910-4485-11ea-ad63-791a5dc86f10", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bb3a6cd0-b7b6-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-bb3a6cd0-b7b6-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 6e3a05d7d3..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bb3a6cd0-b7b6-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Read Ops [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Number of Read Operation\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeReadOps.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Read Ops [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bb3a6cd0-b7b6-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bb82c4d0-6c25-11e9-81bc-7f4cd8b3d892.json b/packages/aws/0.5.4/kibana/visualization/aws-bb82c4d0-6c25-11e9-81bc-7f4cd8b3d892.json deleted file mode 100755 index 059e0ccc6b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bb82c4d0-6c25-11e9-81bc-7f4cd8b3d892.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Empty Receives [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"d95adba0-6b8a-11e9-98b0-9b2c3d14a4c1\"}],\"bar_color_rules\":[{\"id\":\"a7e8c370-6c25-11e9-9cd1-3bdb0c7db024\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"a778eaa0-6c25-11e9-9cd1-3bdb0c7db024\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.empty_receives\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"\",\"percentiles\":[{\"id\":\"74323cf0-6c25-11e9-9cd1-3bdb0c7db024\",\"mode\":\"line\",\"shade\":0.2,\"value\":50}],\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"SQS Empty Receives [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bb82c4d0-6c25-11e9-81bc-7f4cd8b3d892", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bc5dcc90-688e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-bc5dcc90-688e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 2999b35f33..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bc5dcc90-688e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Bytes In From Source [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\"}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.BytesInFromSource.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Bytes In From Source [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bc5dcc90-688e-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bc8bd8f0-31fd-11ea-bcbf-59cb7eefc1f0.json b/packages/aws/0.5.4/kibana/visualization/aws-bc8bd8f0-31fd-11ea-bcbf-59cb7eefc1f0.json deleted file mode 100755 index d45812a087..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bc8bd8f0-31fd-11ea-bcbf-59cb7eefc1f0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Region/Account Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.region\",\"id\":\"1549397251041\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.name\",\"id\":\"1549512126406\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"account name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"Region/Account Filters [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-bc8bd8f0-31fd-11ea-bcbf-59cb7eefc1f0", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bd37d720-3e84-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-bd37d720-3e84-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 4dc2a6b4dd..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bd37d720-3e84-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Outbound Traffic [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB Outbound Traffic [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bd37d720-3e84-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bdb8ddd0-6890-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-bdb8ddd0-6890-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index db4d31f9ed..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bdb8ddd0-6890-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Packet In From Destination [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.PacketsInFromDestination.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Packet In From Destination [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bdb8ddd0-6890-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-be6c4180-41e6-11e9-b7a0-c99d9d127b61.json b/packages/aws/0.5.4/kibana/visualization/aws-be6c4180-41e6-11e9-b7a0-c99d9d127b61.json deleted file mode 100755 index 9d879f9c84..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-be6c4180-41e6-11e9-b7a0-c99d9d127b61.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Deleted [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.deleted\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"SQS Messages Deleted [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-be6c4180-41e6-11e9-b7a0-c99d9d127b61", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-be8828d0-f7f6-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-be8828d0-f7f6-11e8-af03-c999c9dea608.json deleted file mode 100755 index 5cce8d88b9..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-be8828d0-f7f6-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 CPU Utilization [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS EC2 CPU Utilization\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.cpu.total.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS EC2 CPU Utilization\",\"type\":\"metrics\"}" - }, - "id": "aws-be8828d0-f7f6-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-bf81e030-180e-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-bf81e030-180e-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 5b3576245d..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-bf81e030-180e-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Notifications Filtered Out [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Notifications Filtered Out\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsFilteredOut.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Notifications Filtered Out [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-bf81e030-180e-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c0e32d50-b7b8-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-c0e32d50-b7b8-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index d39e7d55d7..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c0e32d50-b7b8-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Write Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Write Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeWriteBytes.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Write Bytes [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c0e32d50-b7b8-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c186b610-688d-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-c186b610-688d-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 2254a408e3..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c186b610-688d-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Active Connection Count Top10 [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\"}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.ActiveConnectionCount.max\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"top_n\"},\"title\":\"NATGateway Active Connection Count Top10 [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c186b610-688d-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c1afd130-921e-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-c1afd130-921e-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 4a1fb5ca6f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c1afd130-921e-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Insert Throughput in Count/Second [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28cacdf0-921c-11e9-badf-4b42bd1ef543\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"'0.0'\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Insert Throughput Count/Second\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.rds.throughput.insert\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"RDS Insert Throughput in Count/Second [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c1afd130-921e-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c1db9b80-694b-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-c1db9b80-694b-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index a484fbe14c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c1db9b80-694b-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Packets Drop Count Blackhole [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.PacketDropCountBlackhole.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Packets Drop Count Blackhole [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c1db9b80-694b-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c7d6cf90-688e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-c7d6cf90-688e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index f7c8fb4d12..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c7d6cf90-688e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Bytes Out To Source [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\"}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.BytesOutToSource.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Bytes Out To Source [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c7d6cf90-688e-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-c84ed3d0-6890-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-c84ed3d0-6890-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index eb8a5de9da..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-c84ed3d0-6890-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Packet In From Source [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.PacketsInFromSource.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Packet In From Source [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-c84ed3d0-6890-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-cc3a1950-921c-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-cc3a1950-921c-11e9-aa19-159bf182e06f.json deleted file mode 100755 index 0e8d6a6c44..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-cc3a1950-921c-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Select Latency in Milliseconds [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28cacdf0-921c-11e9-badf-4b42bd1ef543\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"ms,ms,\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Select Latency in Milliseconds\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.rds.latency.select\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"RDS Select Latency in Milliseconds [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-cc3a1950-921c-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-cd6419c0-6949-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-cd6419c0-6949-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index b4aed97f15..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-cd6419c0-6949-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Bytes In [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.BytesIn.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Bytes In [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-cd6419c0-6949-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-ce7445c0-688f-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-ce7445c0-688f-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index d418d946a6..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-ce7445c0-688f-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Error Port Allocation [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total Error of Port Allocation\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.ErrorPortAllocation.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"_count\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"metric\"},\"title\":\"NATGateway Error Port Allocation [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-ce7445c0-688f-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-ceb7c030-3e86-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-ceb7c030-3e86-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 05371e3bce..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-ceb7c030-3e86-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Top IP Addresses [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"29527130-3e86-11ea-9067-cf383a4ea3b3\"}],\"bar_color_rules\":[{\"id\":\"cc6d5070-3e85-11ea-9067-cf383a4ea3b3\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"gauge_color_rules\":[{\"id\":\"2b29c940-3e86-11ea-9067-cf383a4ea3b3\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"pivot_id\":\"user_agent.original\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"color_rules\":[{\"id\":\"42e14220-3e86-11ea-9067-cf383a4ea3b3\"}],\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"IP address\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"},{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"40c52370-3e87-11ea-9067-cf383a4ea3b3\",\"type\":\"cumulative_sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\"},\"title\":\"ELB Top IP Addresses [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-ceb7c030-3e86-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d045d120-b7b9-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-d045d120-b7b9-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index e7a1d5a315..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d045d120-b7b9-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume ID Filter [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"aws.dimensions.VolumeId\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"volume id\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"EBS Volume ID Filter [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-d045d120-b7b9-11e9-8349-f15f850c5cd0", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d186fd50-4763-11e9-8062-c98a86cb6f94.json b/packages/aws/0.5.4/kibana/visualization/aws-d186fd50-4763-11e9-8062-c98a86cb6f94.json deleted file mode 100755 index e9c20ac64a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d186fd50-4763-11e9-8062-c98a86cb6f94.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "S3 Total Requests [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"c03c4320-4763-11e9-b811-fd5d24a641d7\"}],\"bar_color_rules\":[{\"id\":\"c7b9fca0-4763-11e9-b811-fd5d24a641d7\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.s3_request.requests.total\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"offset_time\":\"\",\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.s3.bucket.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"S3 Total Requests [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-d186fd50-4763-11e9-8062-c98a86cb6f94", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d19a71b0-180e-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-d19a71b0-180e-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 0cc3c7e668..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d19a71b0-180e-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Notifications Filtered Out Invalid Attributes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Notifications Filtered Out Invalid Attributes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsFilteredOut-InvalidAttributes.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Notifications Filtered Out Invalid Attributes [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-d19a71b0-180e-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d2f46190-830f-11e9-ac83-47df3568ff90.json b/packages/aws/0.5.4/kibana/visualization/aws-d2f46190-830f-11e9-ac83-47df3568ff90.json deleted file mode 100755 index b25b0009ae..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d2f46190-830f-11e9-ac83-47df3568ff90.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cloudwatch Memory Available [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"bb21d180-830d-11e9-9c4c-391fa0a2e15f\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(aws.cloudwatch.namespace:\\\"AWS/ECS\\\") AND (_exists_: aws.ecs.metrics.MemoryReservation) AND (_exists_: aws.ecs.metrics.MemoryUtilization)\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ecs.metrics.MemoryUtilization\",\"id\":\"17f8ddf0-830d-11e9-9f3d-ed346f48a007\",\"type\":\"sum\"},{\"field\":\"aws.ecs.metrics.MemoryReservation\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"},{\"id\":\"68a93050-830e-11e9-9c4c-391fa0a2e15f\",\"script\":\"(params.res - params.util) / 100\",\"type\":\"math\",\"variables\":[{\"field\":\"17f8ddf0-830d-11e9-9f3d-ed346f48a007\",\"id\":\"6f338920-830e-11e9-9c4c-391fa0a2e15f\",\"name\":\"util\"},{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"7ab9f9a0-830e-11e9-9c4c-391fa0a2e15f\",\"name\":\"res\"}]}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.ClusterName\",\"terms_order_by\":\"_key\",\"terms_size\":\"5\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"AWS Cloudwatch Memory Available\",\"type\":\"metrics\"}" - }, - "id": "aws-d2f46190-830f-11e9-ac83-47df3568ff90", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d560de70-b3c7-11e9-87a4-078dbbae220d.json b/packages/aws/0.5.4/kibana/visualization/aws-d560de70-b3c7-11e9-87a4-078dbbae220d.json deleted file mode 100755 index 12ee297b08..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d560de70-b3c7-11e9-87a4-078dbbae220d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Request Count [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"7e66beb0-b3c6-11e9-af6e-ef22c5680226\"}],\"bar_color_rules\":[{\"id\":\"7db91990-b3c6-11e9-af6e-ef22c5680226\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"filter\":\"\",\"gauge_color_rules\":[{\"id\":\"7d0b9b80-b3c6-11e9-af6e-ef22c5680226\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"35d3cbc0-b3c6-11e9-bf3f-29d51aa3d971\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#3185FC\",\"fill\":0,\"formatter\":\"number\",\"id\":\"35d3cbc1-b3c6-11e9-bf3f-29d51aa3d971\",\"label\":\"Request Count\",\"line_width\":2,\"metrics\":[{\"field\":\"aws.elb.metrics.RequestCount.sum\",\"id\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.LoadBalancerName\",\"terms_order_by\":\"35d3cbc2-b3c6-11e9-bf3f-29d51aa3d971\",\"type\":\"timeseries\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"ELB Request Count [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-d560de70-b3c7-11e9-87a4-078dbbae220d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-d8b1e830-3e82-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-d8b1e830-3e82-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index dfd1511e04..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-d8b1e830-3e82-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB HTTP 5xx [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" and http.response.status_code \\u003e= 500 and http.response.status_code \\u003c 600\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"HTTP 5xx\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB HTTP 5xx [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-d8b1e830-3e82-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-dc5f65b0-6949-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-dc5f65b0-6949-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index c9bcf11940..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-dc5f65b0-6949-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Bytes Out [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.BytesOut.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Bytes Out [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-dc5f65b0-6949-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-dcd31cd0-41e5-11e9-b7a0-c99d9d127b61.json b/packages/aws/0.5.4/kibana/visualization/aws-dcd31cd0-41e5-11e9-b7a0-c99d9d127b61.json deleted file mode 100755 index b806b7e943..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-dcd31cd0-41e5-11e9-b7a0-c99d9d127b61.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Delayed [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.delayed\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"SQS Messages Delayed [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-dcd31cd0-41e5-11e9-b7a0-c99d9d127b61", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-dd2f2a10-41e6-11e9-b7a0-c99d9d127b61.json b/packages/aws/0.5.4/kibana/visualization/aws-dd2f2a10-41e6-11e9-b7a0-c99d9d127b61.json deleted file mode 100755 index 92532a2890..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-dd2f2a10-41e6-11e9-b7a0-c99d9d127b61.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Sent [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"d95adba0-6b8a-11e9-98b0-9b2c3d14a4c1\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.sent\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"SQS Messages Sent [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-dd2f2a10-41e6-11e9-b7a0-c99d9d127b61", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-deab0260-2981-11e9-86eb-a3a07a77f530.json b/packages/aws/0.5.4/kibana/visualization/aws-deab0260-2981-11e9-86eb-a3a07a77f530.json deleted file mode 100755 index 1f2cad4952..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-deab0260-2981-11e9-86eb-a3a07a77f530.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "AWS Account Filter [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.account.name\",\"id\":\"1549397251041\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"account name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"AWS Account Filter [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-deab0260-2981-11e9-86eb-a3a07a77f530", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-dffa19e0-180e-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-dffa19e0-180e-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index 886b59012f..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-dffa19e0-180e-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Notifications Filtered Out No Message Attributes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Notifications Filtered Out No Message Attributes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsFilteredOut-NoMessageAttributes.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Notifications Filtered Out No Message Attributes [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-dffa19e0-180e-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-e06e4cf0-921e-11e9-aa19-159bf182e06f.json b/packages/aws/0.5.4/kibana/visualization/aws-e06e4cf0-921e-11e9-aa19-159bf182e06f.json deleted file mode 100755 index a2e60b273b..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-e06e4cf0-921e-11e9-aa19-159bf182e06f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "RDS Select Throughput in Count/Second [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28cacdf0-921c-11e9-badf-4b42bd1ef543\"}],\"bar_color_rules\":[{\"id\":\"f8196690-921a-11e9-badf-4b42bd1ef543\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"'0.0'\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Select Throughput Count/Second\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.rds.throughput.select\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.rds.db_instance.identifier\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"RDS Select Throughput in Count/Second [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-e06e4cf0-921e-11e9-aa19-159bf182e06f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-e0e65e60-688e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-e0e65e60-688e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 40fb6f05cf..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-e0e65e60-688e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Bytes Out To Destination [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\"}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.BytesOutToDestination.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Bytes Out To Destination [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-e0e65e60-688e-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-e50c51e0-3e7f-11ea-bb0a-69c3ca1d410f.json b/packages/aws/0.5.4/kibana/visualization/aws-e50c51e0-3e7f-11ea-bb0a-69c3ca1d410f.json deleted file mode 100755 index 42a8dd91e4..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-e50c51e0-3e7f-11ea-bb0a-69c3ca1d410f.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ELB Total Requests [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"aws.elb_logs\\\" \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Total Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.elb.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"ELB Total Requests [Logs AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-e50c51e0-3e7f-11ea-bb0a-69c3ca1d410f", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-ea9e3d40-693a-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-ea9e3d40-693a-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 140af8c874..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-ea9e3d40-693a-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data In [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelDataIn.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TunnelIpAddress\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"VPN Tunnel Data In [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-ea9e3d40-693a-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f1db6ec0-f7f8-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-f1db6ec0-f7f8-11e8-af03-c999c9dea608.json deleted file mode 100755 index 25acf8d87a..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f1db6ec0-f7f8-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 DiskIO Read Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS EC2 DiskIO Read Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.diskio.read.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS EC2 DiskIO Read Bytes\",\"type\":\"metrics\"}" - }, - "id": "aws-f1db6ec0-f7f8-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f58f99b0-693a-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-f58f99b0-693a-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index f8ffa17c88..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f58f99b0-693a-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "VPN Tunnel Data Out [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.vpn.metrics.TunnelDataOut.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TunnelIpAddress\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"VPN Tunnel Data Out [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-f58f99b0-693a-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f6831f30-b7b6-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-f6831f30-b7b6-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index f012a641d0..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f6831f30-b7b6-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Write Ops [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Number of Write Operation\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeWriteOps.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Write Ops [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-f6831f30-b7b6-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f74eb760-41e8-11e9-b7a0-c99d9d127b61.json b/packages/aws/0.5.4/kibana/visualization/aws-f74eb760-41e8-11e9-b7a0-c99d9d127b61.json deleted file mode 100755 index 168a6e6d6c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f74eb760-41e8-11e9-b7a0-c99d9d127b61.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SQS Messages Visible [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"d5b83c70-41e8-11e9-9e94-11d4d21d3f4b\"}],\"bar_color_rules\":[{\"id\":\"d2d14920-41e8-11e9-9e94-11d4d21d3f4b\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"d2163680-41e8-11e9-9e94-11d4d21d3f4b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"SQS Message Visible\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sqs.messages.visible\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.sqs.queue.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"SQS Messages Visible [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-f74eb760-41e8-11e9-b7a0-c99d9d127b61", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f7c17000-6949-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-f7c17000-6949-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index de959e8a14..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f7c17000-6949-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Transit Gateway Bytes Drop Count Blackhole [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.transitgateway.metrics.BytesDropCountBlackhole.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.TransitGateway\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Transit Gateway Bytes Drop Count Blackhole [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-f7c17000-6949-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-f8b63860-739e-11ea-a345-f985c61fe654.json b/packages/aws/0.5.4/kibana/visualization/aws-f8b63860-739e-11ea-a345-f985c61fe654.json deleted file mode 100755 index c705ed2ecc..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-f8b63860-739e-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "CloudTrail Error Code [Logs AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"aws.cloudtrail.error_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"CloudTrail Error Code [Logs AWS]\",\"type\":\"pie\"}" - }, - "id": "aws-f8b63860-739e-11ea-a345-f985c61fe654", - "references": [ - { - "id": "aws-30ccde50-7397-11ea-a345-f985c61fe654", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-fc0869c0-180e-11ea-8e91-03c7047cbb9d.json b/packages/aws/0.5.4/kibana/visualization/aws-fc0869c0-180e-11ea-8e91-03c7047cbb9d.json deleted file mode 100755 index fe50a91d02..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-fc0869c0-180e-11ea-8e91-03c7047cbb9d.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "SNS Notifications Redriven To DLQ [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"s,s,3\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Notifications Redriven To DLQ\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.sns.metrics.NumberOfNotificationsRedrivenToDlq.sum\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":null,\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"SNS Notifications Redriven To DLQ [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-fc0869c0-180e-11ea-8e91-03c7047cbb9d", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-fcfc8d80-693e-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-fcfc8d80-693e-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index 0d6d3ed13c..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-fcfc8d80-693e-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VPN Filters [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloud.account.name\",\"id\":\"1565034367477\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"account name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.region\",\"id\":\"1584478324642\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"region\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.dimensions.VpnId\",\"id\":\"1584552913938\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"VPN ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"aws.dimensions.TunnelIpAddress\",\"id\":\"1584552958445\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Tunnel IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"VPN Filters [Metrics AWS]\",\"type\":\"input_control_vis\"}" - }, - "id": "aws-fcfc8d80-693e-11ea-b0ac-95d4ecb1fecd", - "references": [ - { - "id": "metrics-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-fd915180-6890-11ea-b0ac-95d4ecb1fecd.json b/packages/aws/0.5.4/kibana/visualization/aws-fd915180-6890-11ea-b0ac-95d4ecb1fecd.json deleted file mode 100755 index b7600a2470..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-fd915180-6890-11ea-b0ac-95d4ecb1fecd.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "NATGateway Packet Out To Source [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"688b0480-688d-11ea-8b7d-fd9d15a13cd0\",\"value\":0}],\"bar_color_rules\":[{\"id\":\"6b6b1a00-688d-11ea-8b7d-fd9d15a13cd0\"}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"f444c0e0-688f-11ea-8b7d-fd9d15a13cd0\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"aws.natgateway.metrics.PacketsOutToSource.sum\",\"id\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.NatGatewayId\",\"terms_order_by\":\"f444c0e1-688f-11ea-8b7d-fd9d15a13cd0\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"last_value\",\"type\":\"timeseries\"},\"title\":\"NATGateway Packet Out To Source [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-fd915180-6890-11ea-b0ac-95d4ecb1fecd", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-fe0581b0-b7b8-11e9-8349-f15f850c5cd0.json b/packages/aws/0.5.4/kibana/visualization/aws-fe0581b0-b7b8-11e9-8349-f15f850c5cd0.json deleted file mode 100755 index 2812e58021..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-fe0581b0-b7b8-11e9-8349-f15f850c5cd0.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EBS Volume Queue Length [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_min\":\"0\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Volume Queue Length\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ebs.metrics.VolumeQueueLength.avg\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"5\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"aws.dimensions.VolumeId\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"EBS Volume Queue Length [Metrics AWS]\",\"type\":\"metrics\"}" - }, - "id": "aws-fe0581b0-b7b8-11e9-8349-f15f850c5cd0", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/kibana/visualization/aws-fed59380-f7f8-11e8-af03-c999c9dea608.json b/packages/aws/0.5.4/kibana/visualization/aws-fed59380-f7f8-11e8-af03-c999c9dea608.json deleted file mode 100755 index 0a20e7c906..0000000000 --- a/packages/aws/0.5.4/kibana/visualization/aws-fed59380-f7f8-11e8-af03-c999c9dea608.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "EC2 DiskIO Write Bytes [Metrics AWS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"23428b30-f7f2-11e8-bff8-21537b07dd44\"}],\"bar_color_rules\":[{\"id\":\"2592bcc0-f7f2-11e8-bff8-21537b07dd44\"}],\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"AWS EC2 DiskIO Write Bytes\",\"line_width\":1,\"metrics\":[{\"field\":\"aws.ec2.diskio.write.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":1,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"cloud.instance.id\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"terms_size\":\"5\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"AWS EC2 DiskIO Write Bytes\",\"type\":\"metrics\"}" - }, - "id": "aws-fed59380-f7f8-11e8-af03-c999c9dea608", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/aws/0.5.4/manifest.yml b/packages/aws/0.5.4/manifest.yml deleted file mode 100755 index b28c6e96a9..0000000000 --- a/packages/aws/0.5.4/manifest.yml +++ /dev/null @@ -1,271 +0,0 @@ -format_version: 1.0.0 -name: aws -title: AWS -version: 0.5.4 -license: basic -description: AWS Integration -type: integration -categories: - - aws - - cloud - - network - - security -release: beta -conditions: - kibana.version: "^7.12.0" -screenshots: - - src: /img/filebeat-aws-cloudtrail.png - title: filebeat aws cloudtrail - size: 1702x1063 - type: image/png - - src: /img/filebeat-aws-elb-overview.png - title: filebeat aws elb overview - size: 5120x2704 - type: image/png - - src: /img/filebeat-aws-s3access-overview.png - title: filebeat aws s3access overview - size: 1684x897 - type: image/png - - src: /img/filebeat-aws-vpcflow-overview.png - title: filebeat aws vpcflow overview - size: 5111x2609 - type: image/png - - src: /img/metricbeat-aws-overview.png - title: metricbeat aws overview - size: 3848x2440 - type: image/png - - src: /img/metricbeat-aws-billing-overview.png - title: metricbeat aws billing overview - size: 2176x1826 - type: image/png - - src: /img/metricbeat-aws-dynamodb-overview.png - title: metricbeat aws dynamodb overview - size: 1873x846 - type: image/png - - src: /img/metricbeat-aws-ebs-overview.png - title: metricbeat aws ebs overview - size: 3372x2104 - type: image/png - - src: /img/metricbeat-aws-ec2-overview.png - title: metricbeat aws ec2 overview - size: 2640x2240 - type: image/png - - src: /img/metricbeat-aws-elb-overview.png - title: metricbeat aws elb overview - size: 2676x2384 - type: image/png - - src: /img/metricbeat-aws-lambda-overview.png - title: metricbeat aws lambda overview - size: 2582x2206 - type: image/png - - src: /img/metricbeat-aws-rds-overview.png - title: metricbeat aws rds overview - size: 3468x2290 - type: image/png - - src: /img/metricbeat-aws-s3-overview.png - title: metricbeat aws s3 overview - size: 2048x1504 - type: image/png - - src: /img/metricbeat-aws-sqs-overview.png - title: metricbeat aws sqs overview - size: 2560x1440 - type: image/png - - src: /img/metricbeat-aws-usage-overview.png - title: metricbeat aws usage overview - size: 2238x2438 - type: image/png - - src: /img/metricbeat-aws-billing-overview.png - title: metricbeat aws billing overview - size: 2176x1826 - type: image/png - - src: /img/metricbeat-aws-ebs-overview.png - title: metricbeat aws ebs overview - size: 3372x2104 - type: image/png - - src: /img/metricbeat-aws-ec2-overview.png - title: metricbeat aws ec2 overview - size: 2640x2240 - type: image/png - - src: /img/metricbeat-aws-elb-overview.png - title: metricbeat aws elb overview - size: 2676x2384 - type: image/png - - src: /img/metricbeat-aws-lambda-overview.png - title: metricbeat aws lambda overview - size: 2582x2206 - type: image/png - - src: /img/metricbeat-aws-rds-overview.png - title: metricbeat aws rds overview - size: 3468x2290 - type: image/png - - src: /img/metricbeat-aws-s3-overview.png - title: metricbeat aws s3 overview - size: 2048x1504 - type: image/png - - src: /img/metricbeat-aws-s3-overview.png - title: metricbeat aws s3 overview - size: 2048x1504 - type: image/png - - src: /img/metricbeat-aws-sns-overview.png - title: metricbeat aws sns overview - size: 3840x2676 - type: image/png - - src: /img/metricbeat-aws-sqs-overview.png - title: metricbeat aws sqs overview - size: 2560x1440 - type: image/png - - src: /img/metricbeat-aws-usage-overview.png - title: metricbeat aws usage overview - size: 2238x2438 - type: image/png -icons: - - src: /img/logo_aws.svg - title: logo aws - size: 32x32 - type: image/svg+xml -policy_templates: - - name: aws - title: AWS logs and metrics - description: Collect logs and metrics from AWS services - inputs: - - type: aws-s3 - title: Collect logs from AWS services - description: Collecting AWS CloudTrail, CloudWatch, EC2, ELB, S3 access logs and VPC flow logs logs - vars: - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: true - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: false - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: false - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: false - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service. - - type: aws/metrics - title: Collect metrics from AWS services - description: Collecting AWS billing, cloudwatch, dynamodb, ebs, ec2, elb, lambda, natgateway, rds, s3_daily_storage, s3_request, sns, sqs, transitgateway, usage and vpn metrics - vars: - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: false - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: false - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: false - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service. - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - multi: false - required: false - show_user: false - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. -owner: - github: elastic/integrations diff --git a/packages/system/0.10.3/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.10.3/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.10.3/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.3/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.10.3/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/application/fields/agent.yml b/packages/system/0.10.3/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/application/fields/base-fields.yml b/packages/system/0.10.3/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/application/fields/ecs.yml b/packages/system/0.10.3/data_stream/application/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.3/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.3/data_stream/application/fields/winlog.yml b/packages/system/0.10.3/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.3/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.3/data_stream/application/manifest.yml b/packages/system/0.10.3/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.10.3/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.10.3/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.10.3/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.3/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.10.3/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.3/data_stream/auth/fields/agent.yml b/packages/system/0.10.3/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/auth/fields/base-fields.yml b/packages/system/0.10.3/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/auth/fields/ecs.yml b/packages/system/0.10.3/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 2a84b338b1..0000000000 --- a/packages/system/0.10.3/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,187 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.3/data_stream/auth/fields/fields.yml b/packages/system/0.10.3/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.10.3/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.10.3/data_stream/auth/manifest.yml b/packages/system/0.10.3/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.10.3/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.10.3/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.10.3/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.3/data_stream/core/fields/agent.yml b/packages/system/0.10.3/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/core/fields/base-fields.yml b/packages/system/0.10.3/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/core/fields/ecs.yml b/packages/system/0.10.3/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.3/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/core/fields/fields.yml b/packages/system/0.10.3/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.10.3/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.10.3/data_stream/core/manifest.yml b/packages/system/0.10.3/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.10.3/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.10.3/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/cpu/fields/agent.yml b/packages/system/0.10.3/data_stream/cpu/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/cpu/fields/base-fields.yml b/packages/system/0.10.3/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/cpu/fields/ecs.yml b/packages/system/0.10.3/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/cpu/fields/fields.yml b/packages/system/0.10.3/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.10.3/data_stream/cpu/manifest.yml b/packages/system/0.10.3/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.10.3/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.10.3/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/diskio/fields/agent.yml b/packages/system/0.10.3/data_stream/diskio/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/diskio/fields/base-fields.yml b/packages/system/0.10.3/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/diskio/fields/ecs.yml b/packages/system/0.10.3/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/diskio/fields/fields.yml b/packages/system/0.10.3/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.3/data_stream/diskio/manifest.yml b/packages/system/0.10.3/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.10.3/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.10.3/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.10.3/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.3/data_stream/filesystem/fields/agent.yml b/packages/system/0.10.3/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.10.3/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/filesystem/fields/fields.yml b/packages/system/0.10.3/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.10.3/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.10.3/data_stream/filesystem/manifest.yml b/packages/system/0.10.3/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.10.3/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.10.3/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.3/data_stream/fsstat/fields/agent.yml b/packages/system/0.10.3/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.10.3/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/fsstat/fields/ecs.yml b/packages/system/0.10.3/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/fsstat/fields/fields.yml b/packages/system/0.10.3/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.10.3/data_stream/fsstat/manifest.yml b/packages/system/0.10.3/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.10.3/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.10.3/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index 42790173e3..0000000000 --- a/packages/system/0.10.3/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} == 'linux' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/load/fields/agent.yml b/packages/system/0.10.3/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/load/fields/base-fields.yml b/packages/system/0.10.3/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/load/fields/ecs.yml b/packages/system/0.10.3/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.3/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/load/fields/fields.yml b/packages/system/0.10.3/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.10.3/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.10.3/data_stream/load/manifest.yml b/packages/system/0.10.3/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.10.3/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.10.3/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.10.3/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/memory/fields/agent.yml b/packages/system/0.10.3/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/memory/fields/base-fields.yml b/packages/system/0.10.3/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/memory/fields/ecs.yml b/packages/system/0.10.3/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.3/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/memory/fields/fields.yml b/packages/system/0.10.3/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.10.3/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.10.3/data_stream/memory/manifest.yml b/packages/system/0.10.3/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.10.3/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.10.3/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.10.3/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.3/data_stream/network/fields/agent.yml b/packages/system/0.10.3/data_stream/network/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/network/fields/base-fields.yml b/packages/system/0.10.3/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/network/fields/ecs.yml b/packages/system/0.10.3/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.3/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.3/data_stream/network/fields/fields.yml b/packages/system/0.10.3/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.10.3/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.10.3/data_stream/network/manifest.yml b/packages/system/0.10.3/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.10.3/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.10.3/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.10.3/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/process/fields/agent.yml b/packages/system/0.10.3/data_stream/process/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/process/fields/base-fields.yml b/packages/system/0.10.3/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/process/fields/ecs.yml b/packages/system/0.10.3/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.10.3/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.3/data_stream/process/fields/fields.yml b/packages/system/0.10.3/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.10.3/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.10.3/data_stream/process/manifest.yml b/packages/system/0.10.3/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.10.3/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.10.3/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/process_summary/fields/agent.yml b/packages/system/0.10.3/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.10.3/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/process_summary/fields/ecs.yml b/packages/system/0.10.3/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.3/data_stream/process_summary/fields/fields.yml b/packages/system/0.10.3/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.10.3/data_stream/process_summary/manifest.yml b/packages/system/0.10.3/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.10.3/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.10.3/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.10.3/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.10.3/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.3/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.10.3/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.10.3/data_stream/security/fields/agent.yml b/packages/system/0.10.3/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/security/fields/base-fields.yml b/packages/system/0.10.3/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.10.3/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/security/fields/ecs.yml b/packages/system/0.10.3/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.10.3/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.10.3/data_stream/security/fields/fields.yml b/packages/system/0.10.3/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.10.3/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.10.3/data_stream/security/fields/winlog.yml b/packages/system/0.10.3/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.10.3/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.3/data_stream/security/manifest.yml b/packages/system/0.10.3/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.10.3/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.10.3/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/socket_summary/fields/agent.yml b/packages/system/0.10.3/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.10.3/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.10.3/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.3/data_stream/socket_summary/fields/fields.yml b/packages/system/0.10.3/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.10.3/data_stream/socket_summary/manifest.yml b/packages/system/0.10.3/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.10.3/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.10.3/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.10.3/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.3/data_stream/syslog/fields/agent.yml b/packages/system/0.10.3/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/syslog/fields/base-fields.yml b/packages/system/0.10.3/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/syslog/fields/ecs.yml b/packages/system/0.10.3/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.3/data_stream/syslog/fields/fields.yml b/packages/system/0.10.3/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.10.3/data_stream/syslog/manifest.yml b/packages/system/0.10.3/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.10.3/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.10.3/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.10.3/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.10.3/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/system/fields/agent.yml b/packages/system/0.10.3/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/system/fields/base-fields.yml b/packages/system/0.10.3/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/system/fields/ecs.yml b/packages/system/0.10.3/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.3/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.3/data_stream/system/fields/winlog.yml b/packages/system/0.10.3/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.3/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.3/data_stream/system/manifest.yml b/packages/system/0.10.3/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.10.3/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.10.3/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.10.3/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.10.3/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.3/data_stream/uptime/fields/agent.yml b/packages/system/0.10.3/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.3/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.3/data_stream/uptime/fields/base-fields.yml b/packages/system/0.10.3/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.3/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.3/data_stream/uptime/fields/fields.yml b/packages/system/0.10.3/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.10.3/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.10.3/data_stream/uptime/manifest.yml b/packages/system/0.10.3/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.10.3/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.10.3/docs/README.md b/packages/system/0.10.3/docs/README.md deleted file mode 100644 index 088e7c9ce7..0000000000 --- a/packages/system/0.10.3/docs/README.md +++ /dev/null @@ -1,1500 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/system/0.10.3/img/kibana-system.png b/packages/system/0.10.3/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.10.3/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.10.3/img/metricbeat_system_dashboard.png b/packages/system/0.10.3/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.10.3/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.10.3/img/system.svg b/packages/system/0.10.3/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.10.3/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index cfdfd09da8..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 59d3bd60ad..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:windows.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.3/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.3/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.3/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index ade89f5b1b..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.10.3/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 66ca04e54e..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.10.3/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.10.3/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.10.3/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 84aad582de..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Windows] Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5ab48a3062..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index b379eea763..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 3936b5ec35..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1cff15d29f..0000000000 --- a/packages/system/0.10.3/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.3/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 0b73c97bde..0000000000 --- a/packages/system/0.10.3/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2f987e17c9..0000000000 --- a/packages/system/0.10.3/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.10.3/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.10.3/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.3/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index f1f985f535..0000000000 --- a/packages/system/0.10.3/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 5507975b23..0000000000 --- a/packages/system/0.10.3/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 3c91e58e3d..0000000000 --- a/packages/system/0.10.3/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.3/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.10.3/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index 075cb8a083..0000000000 --- a/packages/system/0.10.3/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-Syslog-system-logs.json b/packages/system/0.10.3/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.10.3/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.3/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.10.3/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index b7a3f89050..0000000000 --- a/packages/system/0.10.3/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.3/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.10.3/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e0b3e1461..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Types [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5385f1ebf7..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9cccbc53a6..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index aa62566ae2..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index a01efe4b67..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 478633bdbd..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 3f10e8d002..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.3/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 749503b56b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 86075806f2..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index 4c2305d126..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Logon Dashboard [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.10.3/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.10.3/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index e26a53b02e..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index d295f417c9..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ff552a8f5c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index 753f48cee4..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Source IP [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 16842dce87..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f2c4c313fa..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.3/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 633e074066..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fc2fd470e9..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 0844a15684..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.10.3/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index db2aa3d667..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.3/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.3/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.10.3/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.10.3/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.10.3/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 6a74b71833..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index d39a6141ab..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ed7b83e131..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Locked Out - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index 6f92dc8999..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 91ec1afb81..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": " Failed Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.3/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.3/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 2a4dc48ec0..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 933f67bf45..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ff437ba2d3..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.10.3/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 9742f4a43f..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Admin Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.3/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index dca0f9262f..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fa00481119..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 51ea966488..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.3/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index a48866082b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4af6ebd0b6..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 14a99c93c0..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 52f84418d2..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.10.3/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index 4da7034431..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 67e90b9ee1..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Acconts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index e59b87fe2e..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.10.3/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 0156cd0ffc..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts Tag [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.3/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ac901db56f..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index 81fea16fcd..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logged on Administrators [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.10.3/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.3/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 83e05f5442..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1056243f5c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e2cbe81b4..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.3/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 044b3f7e20..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 8d37e6840b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.10.3/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index bef426486b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 768e5a7c1c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.3/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 3d479d8d36..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 80de558be8..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Event-Levels.json b/packages/system/0.10.3/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index aad708a11c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Navigation.json b/packages/system/0.10.3/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.10.3/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index f37198a2af..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Number-of-Events.json b/packages/system/0.10.3/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index ec58494bab..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Sources.json b/packages/system/0.10.3/kibana/visualization/system-Sources.json deleted file mode 100644 index d0b0997dc1..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.10.3/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.10.3/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.10.3/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 4896468949..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 7e96d25870..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9d3bf16ab1..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Dashboard links [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 4b46c3ba04..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.3/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index d044a29c62..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.3/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index e4c612104a..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index cba7e9d873..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1524776c84..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b80521880d..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 10df083da9..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 01f9b4f63c..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 69a39e96ac..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a41d9a8945..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 1d06fa3d06..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Enumeration - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index fcd8124618..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index 0693d6a8fc..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c63ede5997..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.3/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.3/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index e99dc25f2d..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 929d24092b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index e6a5114cd8..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.10.3/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.10.3/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.3/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index cfc0f94fdb..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.3/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f305904a39..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 353d90c6e3..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ff1ee322e1..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.3/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.10.3/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.3/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.10.3/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1c91323555..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index 3a7002cb8f..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.10.3/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 1ab8694c7d..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Administrator Users [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.3/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3f849c9c25..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 73b82c4743..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.3/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 30d1efae49..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ad21d0ef81..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.3/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 2de9d27e4d..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.10.3/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index bc21df1e0a..0000000000 --- a/packages/system/0.10.3/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.3/manifest.yml b/packages/system/0.10.3/manifest.yml deleted file mode 100644 index 2278b1f8ab..0000000000 --- a/packages/system/0.10.3/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.10.3 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/system/0.10.4/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.10.4/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.10.4/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.4/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.10.4/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/application/fields/agent.yml b/packages/system/0.10.4/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/application/fields/base-fields.yml b/packages/system/0.10.4/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/application/fields/ecs.yml b/packages/system/0.10.4/data_stream/application/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.4/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.4/data_stream/application/fields/winlog.yml b/packages/system/0.10.4/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.4/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.4/data_stream/application/manifest.yml b/packages/system/0.10.4/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.10.4/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.10.4/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.10.4/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.4/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.10.4/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.4/data_stream/auth/fields/agent.yml b/packages/system/0.10.4/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/auth/fields/base-fields.yml b/packages/system/0.10.4/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/auth/fields/ecs.yml b/packages/system/0.10.4/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 3bf40ac7d1..0000000000 --- a/packages/system/0.10.4/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.10.4/data_stream/auth/fields/fields.yml b/packages/system/0.10.4/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.10.4/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.10.4/data_stream/auth/manifest.yml b/packages/system/0.10.4/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.10.4/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.10.4/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.10.4/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.4/data_stream/core/fields/agent.yml b/packages/system/0.10.4/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/core/fields/base-fields.yml b/packages/system/0.10.4/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/core/fields/ecs.yml b/packages/system/0.10.4/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.4/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/core/fields/fields.yml b/packages/system/0.10.4/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.10.4/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.10.4/data_stream/core/manifest.yml b/packages/system/0.10.4/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.10.4/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.10.4/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/cpu/fields/agent.yml b/packages/system/0.10.4/data_stream/cpu/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/cpu/fields/base-fields.yml b/packages/system/0.10.4/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/cpu/fields/ecs.yml b/packages/system/0.10.4/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/cpu/fields/fields.yml b/packages/system/0.10.4/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.10.4/data_stream/cpu/manifest.yml b/packages/system/0.10.4/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.10.4/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.10.4/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/diskio/fields/agent.yml b/packages/system/0.10.4/data_stream/diskio/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/diskio/fields/base-fields.yml b/packages/system/0.10.4/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/diskio/fields/ecs.yml b/packages/system/0.10.4/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/diskio/fields/fields.yml b/packages/system/0.10.4/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.4/data_stream/diskio/manifest.yml b/packages/system/0.10.4/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.10.4/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.10.4/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.10.4/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.4/data_stream/filesystem/fields/agent.yml b/packages/system/0.10.4/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.10.4/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/filesystem/fields/fields.yml b/packages/system/0.10.4/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.10.4/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.10.4/data_stream/filesystem/manifest.yml b/packages/system/0.10.4/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.10.4/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.10.4/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.4/data_stream/fsstat/fields/agent.yml b/packages/system/0.10.4/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.10.4/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/fsstat/fields/ecs.yml b/packages/system/0.10.4/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/fsstat/fields/fields.yml b/packages/system/0.10.4/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.10.4/data_stream/fsstat/manifest.yml b/packages/system/0.10.4/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.10.4/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.10.4/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index 42790173e3..0000000000 --- a/packages/system/0.10.4/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} == 'linux' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/load/fields/agent.yml b/packages/system/0.10.4/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/load/fields/base-fields.yml b/packages/system/0.10.4/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/load/fields/ecs.yml b/packages/system/0.10.4/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.4/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/load/fields/fields.yml b/packages/system/0.10.4/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.10.4/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.10.4/data_stream/load/manifest.yml b/packages/system/0.10.4/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.10.4/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.10.4/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.10.4/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/memory/fields/agent.yml b/packages/system/0.10.4/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/memory/fields/base-fields.yml b/packages/system/0.10.4/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/memory/fields/ecs.yml b/packages/system/0.10.4/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.4/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/memory/fields/fields.yml b/packages/system/0.10.4/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.10.4/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.10.4/data_stream/memory/manifest.yml b/packages/system/0.10.4/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.10.4/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.10.4/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.10.4/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.4/data_stream/network/fields/agent.yml b/packages/system/0.10.4/data_stream/network/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/network/fields/base-fields.yml b/packages/system/0.10.4/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/network/fields/ecs.yml b/packages/system/0.10.4/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.4/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.4/data_stream/network/fields/fields.yml b/packages/system/0.10.4/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.10.4/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.10.4/data_stream/network/manifest.yml b/packages/system/0.10.4/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.10.4/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.10.4/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.10.4/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/process/fields/agent.yml b/packages/system/0.10.4/data_stream/process/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/process/fields/base-fields.yml b/packages/system/0.10.4/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/process/fields/ecs.yml b/packages/system/0.10.4/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.10.4/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.4/data_stream/process/fields/fields.yml b/packages/system/0.10.4/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.10.4/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.10.4/data_stream/process/manifest.yml b/packages/system/0.10.4/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.10.4/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.10.4/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/process_summary/fields/agent.yml b/packages/system/0.10.4/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.10.4/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/process_summary/fields/ecs.yml b/packages/system/0.10.4/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.4/data_stream/process_summary/fields/fields.yml b/packages/system/0.10.4/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.10.4/data_stream/process_summary/manifest.yml b/packages/system/0.10.4/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.10.4/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.10.4/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.10.4/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.10.4/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.4/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.10.4/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.10.4/data_stream/security/fields/agent.yml b/packages/system/0.10.4/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/security/fields/base-fields.yml b/packages/system/0.10.4/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.10.4/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/security/fields/ecs.yml b/packages/system/0.10.4/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.10.4/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.10.4/data_stream/security/fields/fields.yml b/packages/system/0.10.4/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.10.4/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.10.4/data_stream/security/fields/winlog.yml b/packages/system/0.10.4/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.10.4/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.4/data_stream/security/manifest.yml b/packages/system/0.10.4/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.10.4/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.10.4/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/socket_summary/fields/agent.yml b/packages/system/0.10.4/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.10.4/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.10.4/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.4/data_stream/socket_summary/fields/fields.yml b/packages/system/0.10.4/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.10.4/data_stream/socket_summary/manifest.yml b/packages/system/0.10.4/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.10.4/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.10.4/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.10.4/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.4/data_stream/syslog/fields/agent.yml b/packages/system/0.10.4/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/syslog/fields/base-fields.yml b/packages/system/0.10.4/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/syslog/fields/ecs.yml b/packages/system/0.10.4/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.4/data_stream/syslog/fields/fields.yml b/packages/system/0.10.4/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.10.4/data_stream/syslog/manifest.yml b/packages/system/0.10.4/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.10.4/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.10.4/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.10.4/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.10.4/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.4/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.10.4/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/system/fields/agent.yml b/packages/system/0.10.4/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/system/fields/base-fields.yml b/packages/system/0.10.4/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/system/fields/ecs.yml b/packages/system/0.10.4/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.4/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.4/data_stream/system/fields/winlog.yml b/packages/system/0.10.4/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.4/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.4/data_stream/system/manifest.yml b/packages/system/0.10.4/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.10.4/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.10.4/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.10.4/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.10.4/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.4/data_stream/uptime/fields/agent.yml b/packages/system/0.10.4/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.4/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.4/data_stream/uptime/fields/base-fields.yml b/packages/system/0.10.4/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.4/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.4/data_stream/uptime/fields/fields.yml b/packages/system/0.10.4/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.10.4/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.10.4/data_stream/uptime/manifest.yml b/packages/system/0.10.4/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.10.4/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.10.4/docs/README.md b/packages/system/0.10.4/docs/README.md deleted file mode 100644 index 088e7c9ce7..0000000000 --- a/packages/system/0.10.4/docs/README.md +++ /dev/null @@ -1,1500 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/system/0.10.4/img/kibana-system.png b/packages/system/0.10.4/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.10.4/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.10.4/img/metricbeat_system_dashboard.png b/packages/system/0.10.4/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.10.4/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.10.4/img/system.svg b/packages/system/0.10.4/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.10.4/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index cfdfd09da8..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 59d3bd60ad..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:windows.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.4/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.4/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.4/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index ade89f5b1b..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.10.4/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 66ca04e54e..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.10.4/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.10.4/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.10.4/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 84aad582de..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Windows] Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5ab48a3062..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index b379eea763..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 3936b5ec35..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1cff15d29f..0000000000 --- a/packages/system/0.10.4/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.4/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 0b73c97bde..0000000000 --- a/packages/system/0.10.4/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2f987e17c9..0000000000 --- a/packages/system/0.10.4/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.10.4/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.10.4/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.4/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index f1f985f535..0000000000 --- a/packages/system/0.10.4/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 5507975b23..0000000000 --- a/packages/system/0.10.4/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 3c91e58e3d..0000000000 --- a/packages/system/0.10.4/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.4/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.10.4/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index 075cb8a083..0000000000 --- a/packages/system/0.10.4/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-Syslog-system-logs.json b/packages/system/0.10.4/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.10.4/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.4/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.10.4/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index b7a3f89050..0000000000 --- a/packages/system/0.10.4/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.4/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.10.4/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e0b3e1461..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Types [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5385f1ebf7..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9cccbc53a6..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index aa62566ae2..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index a01efe4b67..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 478633bdbd..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 3f10e8d002..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.4/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 749503b56b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 86075806f2..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index 4c2305d126..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Logon Dashboard [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.10.4/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.10.4/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index e26a53b02e..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index d295f417c9..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ff552a8f5c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index 753f48cee4..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Source IP [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 16842dce87..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f2c4c313fa..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.4/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 633e074066..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fc2fd470e9..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 0844a15684..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.10.4/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index db2aa3d667..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.4/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.4/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.10.4/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.10.4/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.10.4/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 6a74b71833..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index d39a6141ab..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ed7b83e131..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Locked Out - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index 6f92dc8999..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 91ec1afb81..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": " Failed Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.4/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.4/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 2a4dc48ec0..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 933f67bf45..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ff437ba2d3..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.10.4/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 9742f4a43f..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Admin Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.4/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index dca0f9262f..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fa00481119..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 51ea966488..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.4/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index a48866082b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4af6ebd0b6..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 14a99c93c0..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 52f84418d2..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.10.4/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index 4da7034431..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 67e90b9ee1..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Acconts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index e59b87fe2e..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.10.4/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 0156cd0ffc..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts Tag [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.4/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ac901db56f..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index 81fea16fcd..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logged on Administrators [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.10.4/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.4/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 83e05f5442..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1056243f5c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e2cbe81b4..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.4/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 044b3f7e20..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 8d37e6840b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.10.4/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index bef426486b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 768e5a7c1c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.4/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 3d479d8d36..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 80de558be8..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Event-Levels.json b/packages/system/0.10.4/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index aad708a11c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Navigation.json b/packages/system/0.10.4/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.10.4/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index f37198a2af..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Number-of-Events.json b/packages/system/0.10.4/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index ec58494bab..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Sources.json b/packages/system/0.10.4/kibana/visualization/system-Sources.json deleted file mode 100644 index d0b0997dc1..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.10.4/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.10.4/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.10.4/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 4896468949..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 7e96d25870..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9d3bf16ab1..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Dashboard links [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 4b46c3ba04..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.4/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index d044a29c62..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.4/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index e4c612104a..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index cba7e9d873..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1524776c84..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b80521880d..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 10df083da9..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 01f9b4f63c..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 69a39e96ac..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a41d9a8945..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 1d06fa3d06..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Enumeration - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index fcd8124618..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index 0693d6a8fc..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c63ede5997..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.4/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.4/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index e99dc25f2d..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 929d24092b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index e6a5114cd8..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.10.4/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.10.4/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.4/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index cfc0f94fdb..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.4/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f305904a39..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 353d90c6e3..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ff1ee322e1..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.4/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.10.4/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.4/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.10.4/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1c91323555..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index 3a7002cb8f..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.10.4/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 1ab8694c7d..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Administrator Users [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.4/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3f849c9c25..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 73b82c4743..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.4/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 30d1efae49..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ad21d0ef81..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.4/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 2de9d27e4d..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.10.4/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index bc21df1e0a..0000000000 --- a/packages/system/0.10.4/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.4/manifest.yml b/packages/system/0.10.4/manifest.yml deleted file mode 100644 index fe9236bb8c..0000000000 --- a/packages/system/0.10.4/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.10.4 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/system/0.10.5/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.10.5/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.10.5/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.5/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.10.5/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/application/fields/agent.yml b/packages/system/0.10.5/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/application/fields/base-fields.yml b/packages/system/0.10.5/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/application/fields/ecs.yml b/packages/system/0.10.5/data_stream/application/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.5/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.5/data_stream/application/fields/winlog.yml b/packages/system/0.10.5/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.5/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.5/data_stream/application/manifest.yml b/packages/system/0.10.5/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.10.5/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.10.5/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.10.5/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.5/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.10.5/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.5/data_stream/auth/fields/agent.yml b/packages/system/0.10.5/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/auth/fields/base-fields.yml b/packages/system/0.10.5/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/auth/fields/ecs.yml b/packages/system/0.10.5/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 3bf40ac7d1..0000000000 --- a/packages/system/0.10.5/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.10.5/data_stream/auth/fields/fields.yml b/packages/system/0.10.5/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.10.5/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.10.5/data_stream/auth/manifest.yml b/packages/system/0.10.5/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.10.5/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.10.5/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.10.5/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.5/data_stream/core/fields/agent.yml b/packages/system/0.10.5/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/core/fields/base-fields.yml b/packages/system/0.10.5/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/core/fields/ecs.yml b/packages/system/0.10.5/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.5/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/core/fields/fields.yml b/packages/system/0.10.5/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.10.5/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.10.5/data_stream/core/manifest.yml b/packages/system/0.10.5/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.10.5/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.10.5/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/cpu/fields/agent.yml b/packages/system/0.10.5/data_stream/cpu/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/cpu/fields/base-fields.yml b/packages/system/0.10.5/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/cpu/fields/ecs.yml b/packages/system/0.10.5/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/cpu/fields/fields.yml b/packages/system/0.10.5/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.10.5/data_stream/cpu/manifest.yml b/packages/system/0.10.5/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.10.5/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.10.5/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/diskio/fields/agent.yml b/packages/system/0.10.5/data_stream/diskio/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/diskio/fields/base-fields.yml b/packages/system/0.10.5/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/diskio/fields/ecs.yml b/packages/system/0.10.5/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/diskio/fields/fields.yml b/packages/system/0.10.5/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.5/data_stream/diskio/manifest.yml b/packages/system/0.10.5/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.10.5/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.10.5/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.10.5/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.5/data_stream/filesystem/fields/agent.yml b/packages/system/0.10.5/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.10.5/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/filesystem/fields/fields.yml b/packages/system/0.10.5/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.10.5/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.10.5/data_stream/filesystem/manifest.yml b/packages/system/0.10.5/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.10.5/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.10.5/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.5/data_stream/fsstat/fields/agent.yml b/packages/system/0.10.5/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.10.5/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/fsstat/fields/ecs.yml b/packages/system/0.10.5/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/fsstat/fields/fields.yml b/packages/system/0.10.5/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.10.5/data_stream/fsstat/manifest.yml b/packages/system/0.10.5/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.10.5/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.10.5/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b1403687c4..0000000000 --- a/packages/system/0.10.5/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/load/fields/agent.yml b/packages/system/0.10.5/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/load/fields/base-fields.yml b/packages/system/0.10.5/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/load/fields/ecs.yml b/packages/system/0.10.5/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.5/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/load/fields/fields.yml b/packages/system/0.10.5/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.10.5/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.10.5/data_stream/load/manifest.yml b/packages/system/0.10.5/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.10.5/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.10.5/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.10.5/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/memory/fields/agent.yml b/packages/system/0.10.5/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/memory/fields/base-fields.yml b/packages/system/0.10.5/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/memory/fields/ecs.yml b/packages/system/0.10.5/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.5/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/memory/fields/fields.yml b/packages/system/0.10.5/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.10.5/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.10.5/data_stream/memory/manifest.yml b/packages/system/0.10.5/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.10.5/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.10.5/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.10.5/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.5/data_stream/network/fields/agent.yml b/packages/system/0.10.5/data_stream/network/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/network/fields/base-fields.yml b/packages/system/0.10.5/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/network/fields/ecs.yml b/packages/system/0.10.5/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.5/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.5/data_stream/network/fields/fields.yml b/packages/system/0.10.5/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.10.5/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.10.5/data_stream/network/manifest.yml b/packages/system/0.10.5/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.10.5/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.10.5/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.10.5/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/process/fields/agent.yml b/packages/system/0.10.5/data_stream/process/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/process/fields/base-fields.yml b/packages/system/0.10.5/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/process/fields/ecs.yml b/packages/system/0.10.5/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.10.5/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.5/data_stream/process/fields/fields.yml b/packages/system/0.10.5/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.10.5/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.10.5/data_stream/process/manifest.yml b/packages/system/0.10.5/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.10.5/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.10.5/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/process_summary/fields/agent.yml b/packages/system/0.10.5/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.10.5/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/process_summary/fields/ecs.yml b/packages/system/0.10.5/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.5/data_stream/process_summary/fields/fields.yml b/packages/system/0.10.5/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.10.5/data_stream/process_summary/manifest.yml b/packages/system/0.10.5/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.10.5/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.10.5/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.10.5/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.10.5/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.5/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.10.5/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.10.5/data_stream/security/fields/agent.yml b/packages/system/0.10.5/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/security/fields/base-fields.yml b/packages/system/0.10.5/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.10.5/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/security/fields/ecs.yml b/packages/system/0.10.5/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.10.5/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.10.5/data_stream/security/fields/fields.yml b/packages/system/0.10.5/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.10.5/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.10.5/data_stream/security/fields/winlog.yml b/packages/system/0.10.5/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.10.5/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.5/data_stream/security/manifest.yml b/packages/system/0.10.5/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.10.5/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.10.5/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/socket_summary/fields/agent.yml b/packages/system/0.10.5/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.10.5/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.10.5/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.5/data_stream/socket_summary/fields/fields.yml b/packages/system/0.10.5/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.10.5/data_stream/socket_summary/manifest.yml b/packages/system/0.10.5/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.10.5/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.10.5/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.10.5/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.5/data_stream/syslog/fields/agent.yml b/packages/system/0.10.5/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/syslog/fields/base-fields.yml b/packages/system/0.10.5/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/syslog/fields/ecs.yml b/packages/system/0.10.5/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.5/data_stream/syslog/fields/fields.yml b/packages/system/0.10.5/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.10.5/data_stream/syslog/manifest.yml b/packages/system/0.10.5/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.10.5/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.10.5/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.10.5/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.10.5/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.5/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.10.5/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/system/fields/agent.yml b/packages/system/0.10.5/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/system/fields/base-fields.yml b/packages/system/0.10.5/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/system/fields/ecs.yml b/packages/system/0.10.5/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.5/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.5/data_stream/system/fields/winlog.yml b/packages/system/0.10.5/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.5/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.5/data_stream/system/manifest.yml b/packages/system/0.10.5/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.10.5/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.10.5/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.10.5/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.10.5/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.5/data_stream/uptime/fields/agent.yml b/packages/system/0.10.5/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.5/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.5/data_stream/uptime/fields/base-fields.yml b/packages/system/0.10.5/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.5/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.5/data_stream/uptime/fields/fields.yml b/packages/system/0.10.5/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.10.5/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.10.5/data_stream/uptime/manifest.yml b/packages/system/0.10.5/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.10.5/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.10.5/docs/README.md b/packages/system/0.10.5/docs/README.md deleted file mode 100644 index 088e7c9ce7..0000000000 --- a/packages/system/0.10.5/docs/README.md +++ /dev/null @@ -1,1500 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/system/0.10.5/img/kibana-system.png b/packages/system/0.10.5/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.10.5/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.10.5/img/metricbeat_system_dashboard.png b/packages/system/0.10.5/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.10.5/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.10.5/img/system.svg b/packages/system/0.10.5/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.10.5/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index cfdfd09da8..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 59d3bd60ad..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:windows.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.5/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.5/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.5/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index ade89f5b1b..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.10.5/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 66ca04e54e..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.10.5/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.10.5/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.10.5/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 84aad582de..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Windows] Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5ab48a3062..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index b379eea763..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 3936b5ec35..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1cff15d29f..0000000000 --- a/packages/system/0.10.5/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.5/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 0b73c97bde..0000000000 --- a/packages/system/0.10.5/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2f987e17c9..0000000000 --- a/packages/system/0.10.5/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.10.5/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.10.5/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.5/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index f1f985f535..0000000000 --- a/packages/system/0.10.5/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 5507975b23..0000000000 --- a/packages/system/0.10.5/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 3c91e58e3d..0000000000 --- a/packages/system/0.10.5/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.5/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.10.5/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index 075cb8a083..0000000000 --- a/packages/system/0.10.5/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-Syslog-system-logs.json b/packages/system/0.10.5/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.10.5/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.5/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.10.5/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index b7a3f89050..0000000000 --- a/packages/system/0.10.5/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.5/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.10.5/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e0b3e1461..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Types [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5385f1ebf7..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9cccbc53a6..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index aa62566ae2..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index a01efe4b67..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 478633bdbd..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 3f10e8d002..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.5/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 749503b56b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 86075806f2..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index 4c2305d126..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Logon Dashboard [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.10.5/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.10.5/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index e26a53b02e..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index d295f417c9..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ff552a8f5c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index 753f48cee4..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Source IP [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 16842dce87..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f2c4c313fa..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.5/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 633e074066..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fc2fd470e9..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 0844a15684..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.10.5/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index db2aa3d667..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.5/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.5/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.10.5/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.10.5/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.10.5/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 6a74b71833..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index d39a6141ab..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ed7b83e131..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Locked Out - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index 6f92dc8999..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 91ec1afb81..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": " Failed Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.5/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.5/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 2a4dc48ec0..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 933f67bf45..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ff437ba2d3..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.10.5/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 9742f4a43f..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Admin Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.5/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index dca0f9262f..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fa00481119..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 51ea966488..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.5/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index a48866082b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4af6ebd0b6..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 14a99c93c0..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 52f84418d2..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.10.5/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index 4da7034431..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 67e90b9ee1..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Acconts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index e59b87fe2e..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.10.5/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 0156cd0ffc..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts Tag [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.5/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ac901db56f..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index 81fea16fcd..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logged on Administrators [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.10.5/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.5/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 83e05f5442..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1056243f5c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e2cbe81b4..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.5/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 044b3f7e20..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 8d37e6840b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.10.5/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index bef426486b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 768e5a7c1c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.5/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 3d479d8d36..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 80de558be8..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Event-Levels.json b/packages/system/0.10.5/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index aad708a11c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Navigation.json b/packages/system/0.10.5/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.10.5/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index f37198a2af..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Number-of-Events.json b/packages/system/0.10.5/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index ec58494bab..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Sources.json b/packages/system/0.10.5/kibana/visualization/system-Sources.json deleted file mode 100644 index d0b0997dc1..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.10.5/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.10.5/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.10.5/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 4896468949..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 7e96d25870..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9d3bf16ab1..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Dashboard links [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 4b46c3ba04..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.5/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index d044a29c62..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.5/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index e4c612104a..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index cba7e9d873..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1524776c84..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b80521880d..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 10df083da9..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 01f9b4f63c..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 69a39e96ac..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a41d9a8945..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 1d06fa3d06..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Enumeration - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index fcd8124618..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index 0693d6a8fc..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c63ede5997..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.5/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.5/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index e99dc25f2d..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 929d24092b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index e6a5114cd8..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.10.5/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.10.5/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.5/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index cfc0f94fdb..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.5/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f305904a39..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 353d90c6e3..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ff1ee322e1..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.5/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.10.5/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.5/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.10.5/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1c91323555..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index 3a7002cb8f..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.10.5/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 1ab8694c7d..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Administrator Users [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.5/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3f849c9c25..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 73b82c4743..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.5/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 30d1efae49..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ad21d0ef81..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.5/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 2de9d27e4d..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.10.5/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index bc21df1e0a..0000000000 --- a/packages/system/0.10.5/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.5/manifest.yml b/packages/system/0.10.5/manifest.yml deleted file mode 100644 index d959f865c1..0000000000 --- a/packages/system/0.10.5/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.10.5 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/system/0.10.6/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.10.6/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.10.6/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.6/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.10.6/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/application/fields/agent.yml b/packages/system/0.10.6/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/application/fields/base-fields.yml b/packages/system/0.10.6/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/application/fields/ecs.yml b/packages/system/0.10.6/data_stream/application/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.6/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.6/data_stream/application/fields/winlog.yml b/packages/system/0.10.6/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.6/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.6/data_stream/application/manifest.yml b/packages/system/0.10.6/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.10.6/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.10.6/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.10.6/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.6/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.10.6/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.6/data_stream/auth/fields/agent.yml b/packages/system/0.10.6/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/auth/fields/base-fields.yml b/packages/system/0.10.6/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/auth/fields/ecs.yml b/packages/system/0.10.6/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 3bf40ac7d1..0000000000 --- a/packages/system/0.10.6/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.10.6/data_stream/auth/fields/fields.yml b/packages/system/0.10.6/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.10.6/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.10.6/data_stream/auth/manifest.yml b/packages/system/0.10.6/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.10.6/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.10.6/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.10.6/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.6/data_stream/core/fields/agent.yml b/packages/system/0.10.6/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/core/fields/base-fields.yml b/packages/system/0.10.6/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/core/fields/ecs.yml b/packages/system/0.10.6/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.6/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/core/fields/fields.yml b/packages/system/0.10.6/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.10.6/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.10.6/data_stream/core/manifest.yml b/packages/system/0.10.6/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.10.6/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.10.6/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/cpu/fields/agent.yml b/packages/system/0.10.6/data_stream/cpu/fields/agent.yml deleted file mode 100644 index 3643534982..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.10.6/data_stream/cpu/fields/base-fields.yml b/packages/system/0.10.6/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/cpu/fields/ecs.yml b/packages/system/0.10.6/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/cpu/fields/fields.yml b/packages/system/0.10.6/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.10.6/data_stream/cpu/manifest.yml b/packages/system/0.10.6/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.10.6/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.10.6/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/diskio/fields/agent.yml b/packages/system/0.10.6/data_stream/diskio/fields/agent.yml deleted file mode 100644 index 54d97ab701..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.6/data_stream/diskio/fields/base-fields.yml b/packages/system/0.10.6/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/diskio/fields/ecs.yml b/packages/system/0.10.6/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/diskio/fields/fields.yml b/packages/system/0.10.6/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.6/data_stream/diskio/manifest.yml b/packages/system/0.10.6/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.10.6/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.10.6/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.10.6/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.6/data_stream/filesystem/fields/agent.yml b/packages/system/0.10.6/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.10.6/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/filesystem/fields/fields.yml b/packages/system/0.10.6/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.10.6/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.10.6/data_stream/filesystem/manifest.yml b/packages/system/0.10.6/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.10.6/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.10.6/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.6/data_stream/fsstat/fields/agent.yml b/packages/system/0.10.6/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.10.6/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/fsstat/fields/ecs.yml b/packages/system/0.10.6/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/fsstat/fields/fields.yml b/packages/system/0.10.6/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.10.6/data_stream/fsstat/manifest.yml b/packages/system/0.10.6/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.10.6/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.10.6/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b1403687c4..0000000000 --- a/packages/system/0.10.6/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/load/fields/agent.yml b/packages/system/0.10.6/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/load/fields/base-fields.yml b/packages/system/0.10.6/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/load/fields/ecs.yml b/packages/system/0.10.6/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.6/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/load/fields/fields.yml b/packages/system/0.10.6/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.10.6/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.10.6/data_stream/load/manifest.yml b/packages/system/0.10.6/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.10.6/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.10.6/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.10.6/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/memory/fields/agent.yml b/packages/system/0.10.6/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/memory/fields/base-fields.yml b/packages/system/0.10.6/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/memory/fields/ecs.yml b/packages/system/0.10.6/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.6/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/memory/fields/fields.yml b/packages/system/0.10.6/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.10.6/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.10.6/data_stream/memory/manifest.yml b/packages/system/0.10.6/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.10.6/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.10.6/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.10.6/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.6/data_stream/network/fields/agent.yml b/packages/system/0.10.6/data_stream/network/fields/agent.yml deleted file mode 100644 index e5afe01139..0000000000 --- a/packages/system/0.10.6/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.10.6/data_stream/network/fields/base-fields.yml b/packages/system/0.10.6/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/network/fields/ecs.yml b/packages/system/0.10.6/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.6/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.6/data_stream/network/fields/fields.yml b/packages/system/0.10.6/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.10.6/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.10.6/data_stream/network/manifest.yml b/packages/system/0.10.6/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.10.6/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.10.6/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.10.6/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/process/fields/agent.yml b/packages/system/0.10.6/data_stream/process/fields/agent.yml deleted file mode 100644 index d5df59895a..0000000000 --- a/packages/system/0.10.6/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.10.6/data_stream/process/fields/base-fields.yml b/packages/system/0.10.6/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/process/fields/ecs.yml b/packages/system/0.10.6/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.10.6/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.6/data_stream/process/fields/fields.yml b/packages/system/0.10.6/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.10.6/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.10.6/data_stream/process/manifest.yml b/packages/system/0.10.6/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.10.6/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.10.6/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/process_summary/fields/agent.yml b/packages/system/0.10.6/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.10.6/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/process_summary/fields/ecs.yml b/packages/system/0.10.6/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.6/data_stream/process_summary/fields/fields.yml b/packages/system/0.10.6/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.10.6/data_stream/process_summary/manifest.yml b/packages/system/0.10.6/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.10.6/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.10.6/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.10.6/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.10.6/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.6/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.10.6/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.10.6/data_stream/security/fields/agent.yml b/packages/system/0.10.6/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/security/fields/base-fields.yml b/packages/system/0.10.6/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.10.6/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/security/fields/ecs.yml b/packages/system/0.10.6/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.10.6/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.10.6/data_stream/security/fields/fields.yml b/packages/system/0.10.6/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.10.6/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.10.6/data_stream/security/fields/winlog.yml b/packages/system/0.10.6/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.10.6/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.6/data_stream/security/manifest.yml b/packages/system/0.10.6/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.10.6/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.10.6/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/socket_summary/fields/agent.yml b/packages/system/0.10.6/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.10.6/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.10.6/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.6/data_stream/socket_summary/fields/fields.yml b/packages/system/0.10.6/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.10.6/data_stream/socket_summary/manifest.yml b/packages/system/0.10.6/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.10.6/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.10.6/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.10.6/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.6/data_stream/syslog/fields/agent.yml b/packages/system/0.10.6/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/syslog/fields/base-fields.yml b/packages/system/0.10.6/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/syslog/fields/ecs.yml b/packages/system/0.10.6/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.6/data_stream/syslog/fields/fields.yml b/packages/system/0.10.6/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.10.6/data_stream/syslog/manifest.yml b/packages/system/0.10.6/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.10.6/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.10.6/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.10.6/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.10.6/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.6/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.10.6/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/system/fields/agent.yml b/packages/system/0.10.6/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/system/fields/base-fields.yml b/packages/system/0.10.6/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/system/fields/ecs.yml b/packages/system/0.10.6/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.6/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.6/data_stream/system/fields/winlog.yml b/packages/system/0.10.6/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.6/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.6/data_stream/system/manifest.yml b/packages/system/0.10.6/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.10.6/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.10.6/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.10.6/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.10.6/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.6/data_stream/uptime/fields/agent.yml b/packages/system/0.10.6/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.6/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.6/data_stream/uptime/fields/base-fields.yml b/packages/system/0.10.6/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.6/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.6/data_stream/uptime/fields/fields.yml b/packages/system/0.10.6/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.10.6/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.10.6/data_stream/uptime/manifest.yml b/packages/system/0.10.6/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.10.6/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.10.6/docs/README.md b/packages/system/0.10.6/docs/README.md deleted file mode 100644 index 5684155aa6..0000000000 --- a/packages/system/0.10.6/docs/README.md +++ /dev/null @@ -1,1504 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/system/0.10.6/img/kibana-system.png b/packages/system/0.10.6/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.10.6/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.10.6/img/metricbeat_system_dashboard.png b/packages/system/0.10.6/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.10.6/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.10.6/img/system.svg b/packages/system/0.10.6/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.10.6/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index cfdfd09da8..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 59d3bd60ad..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:windows.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.6/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.6/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.6/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index ade89f5b1b..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.10.6/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 66ca04e54e..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.10.6/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.10.6/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.10.6/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 84aad582de..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Windows] Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5ab48a3062..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index b379eea763..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 3936b5ec35..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1cff15d29f..0000000000 --- a/packages/system/0.10.6/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.6/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 0b73c97bde..0000000000 --- a/packages/system/0.10.6/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2f987e17c9..0000000000 --- a/packages/system/0.10.6/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.10.6/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.10.6/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.6/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index f1f985f535..0000000000 --- a/packages/system/0.10.6/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 5507975b23..0000000000 --- a/packages/system/0.10.6/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 3c91e58e3d..0000000000 --- a/packages/system/0.10.6/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.6/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.10.6/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index 075cb8a083..0000000000 --- a/packages/system/0.10.6/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-Syslog-system-logs.json b/packages/system/0.10.6/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.10.6/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.6/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.10.6/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index b7a3f89050..0000000000 --- a/packages/system/0.10.6/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.6/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.10.6/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e0b3e1461..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Types [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5385f1ebf7..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9cccbc53a6..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index aa62566ae2..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index a01efe4b67..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 478633bdbd..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 3f10e8d002..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.6/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 749503b56b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 86075806f2..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index 4c2305d126..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Logon Dashboard [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.10.6/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.10.6/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index e26a53b02e..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index d295f417c9..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ff552a8f5c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index 753f48cee4..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Source IP [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 16842dce87..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f2c4c313fa..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.6/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 633e074066..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fc2fd470e9..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 0844a15684..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "User Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.10.6/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index db2aa3d667..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.6/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.6/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.10.6/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.10.6/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.10.6/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 6a74b71833..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index d39a6141ab..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ed7b83e131..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Locked Out - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index 6f92dc8999..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 91ec1afb81..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": " Failed Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.6/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.6/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 2a4dc48ec0..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 933f67bf45..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ff437ba2d3..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.10.6/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 9742f4a43f..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Admin Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.6/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index dca0f9262f..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index fa00481119..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 51ea966488..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.6/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index a48866082b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4af6ebd0b6..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 14a99c93c0..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 52f84418d2..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.10.6/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index 4da7034431..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index 67e90b9ee1..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Failed Acconts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index e59b87fe2e..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.10.6/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 0156cd0ffc..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Blocked Accounts Tag [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.6/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ac901db56f..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index 81fea16fcd..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logged on Administrators [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.10.6/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.6/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 83e05f5442..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1056243f5c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6e2cbe81b4..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.6/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 044b3f7e20..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 8d37e6840b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Disabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.10.6/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index bef426486b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 768e5a7c1c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.6/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 3d479d8d36..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.security AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 80de558be8..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Event-Levels.json b/packages/system/0.10.6/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index aad708a11c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Navigation.json b/packages/system/0.10.6/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.10.6/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index f37198a2af..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Number-of-Events.json b/packages/system/0.10.6/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index ec58494bab..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Sources.json b/packages/system/0.10.6/kibana/visualization/system-Sources.json deleted file mode 100644 index d0b0997dc1..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.10.6/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.10.6/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.10.6/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 4896468949..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 7e96d25870..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 9d3bf16ab1..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Dashboard links [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 4b46c3ba04..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.6/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index d044a29c62..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.6/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index e4c612104a..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index cba7e9d873..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1524776c84..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b80521880d..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 10df083da9..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Changes Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 01f9b4f63c..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 69a39e96ac..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a41d9a8945..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 1d06fa3d06..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Group Enumeration - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index fcd8124618..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index 0693d6a8fc..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c63ede5997..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.6/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.6/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index e99dc25f2d..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 929d24092b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index e6a5114cd8..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Added - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.10.6/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.10.6/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.6/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index cfc0f94fdb..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.6/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f305904a39..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 353d90c6e3..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Unlocked Users - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index ff1ee322e1..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Password Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.6/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.10.6/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.6/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.10.6/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1c91323555..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index 3a7002cb8f..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.10.6/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 1ab8694c7d..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Administrator Users [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.6/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3f849c9c25..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 73b82c4743..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.6/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 30d1efae49..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ad21d0ef81..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Renamed - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.6/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 2de9d27e4d..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.10.6/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index bc21df1e0a..0000000000 --- a/packages/system/0.10.6/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.6/manifest.yml b/packages/system/0.10.6/manifest.yml deleted file mode 100644 index aa49ff0baa..0000000000 --- a/packages/system/0.10.6/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.10.6 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/system/0.10.7/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.10.7/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.10.7/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.7/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.10.7/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/application/fields/agent.yml b/packages/system/0.10.7/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/application/fields/base-fields.yml b/packages/system/0.10.7/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/application/fields/ecs.yml b/packages/system/0.10.7/data_stream/application/fields/ecs.yml deleted file mode 100644 index f283f085b0..0000000000 --- a/packages/system/0.10.7/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.10.7/data_stream/application/fields/winlog.yml b/packages/system/0.10.7/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.7/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.7/data_stream/application/manifest.yml b/packages/system/0.10.7/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.10.7/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.10.7/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.10.7/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.7/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.10.7/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.7/data_stream/auth/fields/agent.yml b/packages/system/0.10.7/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/auth/fields/base-fields.yml b/packages/system/0.10.7/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/auth/fields/ecs.yml b/packages/system/0.10.7/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 3bf40ac7d1..0000000000 --- a/packages/system/0.10.7/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.10.7/data_stream/auth/fields/fields.yml b/packages/system/0.10.7/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.10.7/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.10.7/data_stream/auth/manifest.yml b/packages/system/0.10.7/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.10.7/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.10.7/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.10.7/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.7/data_stream/core/fields/agent.yml b/packages/system/0.10.7/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/core/fields/base-fields.yml b/packages/system/0.10.7/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/core/fields/ecs.yml b/packages/system/0.10.7/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.7/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/core/fields/fields.yml b/packages/system/0.10.7/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.10.7/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.10.7/data_stream/core/manifest.yml b/packages/system/0.10.7/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.10.7/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.10.7/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/cpu/fields/agent.yml b/packages/system/0.10.7/data_stream/cpu/fields/agent.yml deleted file mode 100644 index 3643534982..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.10.7/data_stream/cpu/fields/base-fields.yml b/packages/system/0.10.7/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/cpu/fields/ecs.yml b/packages/system/0.10.7/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/cpu/fields/fields.yml b/packages/system/0.10.7/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.10.7/data_stream/cpu/manifest.yml b/packages/system/0.10.7/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.10.7/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.10.7/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/diskio/fields/agent.yml b/packages/system/0.10.7/data_stream/diskio/fields/agent.yml deleted file mode 100644 index 54d97ab701..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.7/data_stream/diskio/fields/base-fields.yml b/packages/system/0.10.7/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/diskio/fields/ecs.yml b/packages/system/0.10.7/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/diskio/fields/fields.yml b/packages/system/0.10.7/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.10.7/data_stream/diskio/manifest.yml b/packages/system/0.10.7/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.10.7/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.10.7/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.10.7/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.7/data_stream/filesystem/fields/agent.yml b/packages/system/0.10.7/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.10.7/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/filesystem/fields/fields.yml b/packages/system/0.10.7/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.10.7/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.10.7/data_stream/filesystem/manifest.yml b/packages/system/0.10.7/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.10.7/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.10.7/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.10.7/data_stream/fsstat/fields/agent.yml b/packages/system/0.10.7/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.10.7/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/fsstat/fields/ecs.yml b/packages/system/0.10.7/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/fsstat/fields/fields.yml b/packages/system/0.10.7/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.10.7/data_stream/fsstat/manifest.yml b/packages/system/0.10.7/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.10.7/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.10.7/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b1403687c4..0000000000 --- a/packages/system/0.10.7/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/load/fields/agent.yml b/packages/system/0.10.7/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/load/fields/base-fields.yml b/packages/system/0.10.7/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/load/fields/ecs.yml b/packages/system/0.10.7/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.7/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/load/fields/fields.yml b/packages/system/0.10.7/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.10.7/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.10.7/data_stream/load/manifest.yml b/packages/system/0.10.7/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.10.7/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.10.7/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.10.7/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/memory/fields/agent.yml b/packages/system/0.10.7/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/memory/fields/base-fields.yml b/packages/system/0.10.7/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/memory/fields/ecs.yml b/packages/system/0.10.7/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.10.7/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/memory/fields/fields.yml b/packages/system/0.10.7/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.10.7/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.10.7/data_stream/memory/manifest.yml b/packages/system/0.10.7/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.10.7/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.10.7/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.10.7/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.10.7/data_stream/network/fields/agent.yml b/packages/system/0.10.7/data_stream/network/fields/agent.yml deleted file mode 100644 index e5afe01139..0000000000 --- a/packages/system/0.10.7/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.10.7/data_stream/network/fields/base-fields.yml b/packages/system/0.10.7/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/network/fields/ecs.yml b/packages/system/0.10.7/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.7/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.7/data_stream/network/fields/fields.yml b/packages/system/0.10.7/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.10.7/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.10.7/data_stream/network/manifest.yml b/packages/system/0.10.7/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.10.7/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.10.7/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.10.7/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/process/fields/agent.yml b/packages/system/0.10.7/data_stream/process/fields/agent.yml deleted file mode 100644 index d5df59895a..0000000000 --- a/packages/system/0.10.7/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.10.7/data_stream/process/fields/base-fields.yml b/packages/system/0.10.7/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/process/fields/ecs.yml b/packages/system/0.10.7/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.10.7/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.10.7/data_stream/process/fields/fields.yml b/packages/system/0.10.7/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.10.7/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.10.7/data_stream/process/manifest.yml b/packages/system/0.10.7/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.10.7/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.10.7/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/process_summary/fields/agent.yml b/packages/system/0.10.7/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.10.7/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/process_summary/fields/ecs.yml b/packages/system/0.10.7/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.7/data_stream/process_summary/fields/fields.yml b/packages/system/0.10.7/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.10.7/data_stream/process_summary/manifest.yml b/packages/system/0.10.7/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.10.7/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.10.7/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.10.7/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.10.7/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.7/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.10.7/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.10.7/data_stream/security/fields/agent.yml b/packages/system/0.10.7/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/security/fields/base-fields.yml b/packages/system/0.10.7/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.10.7/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/security/fields/ecs.yml b/packages/system/0.10.7/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.10.7/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.10.7/data_stream/security/fields/fields.yml b/packages/system/0.10.7/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.10.7/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.10.7/data_stream/security/fields/winlog.yml b/packages/system/0.10.7/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.10.7/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.7/data_stream/security/manifest.yml b/packages/system/0.10.7/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.10.7/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.10.7/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/socket_summary/fields/agent.yml b/packages/system/0.10.7/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.10.7/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.10.7/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.10.7/data_stream/socket_summary/fields/fields.yml b/packages/system/0.10.7/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.10.7/data_stream/socket_summary/manifest.yml b/packages/system/0.10.7/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.10.7/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.10.7/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.10.7/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.10.7/data_stream/syslog/fields/agent.yml b/packages/system/0.10.7/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/syslog/fields/base-fields.yml b/packages/system/0.10.7/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/syslog/fields/ecs.yml b/packages/system/0.10.7/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.10.7/data_stream/syslog/fields/fields.yml b/packages/system/0.10.7/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.10.7/data_stream/syslog/manifest.yml b/packages/system/0.10.7/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.10.7/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.10.7/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.10.7/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.10.7/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.10.7/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.10.7/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/system/fields/agent.yml b/packages/system/0.10.7/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/system/fields/base-fields.yml b/packages/system/0.10.7/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/system/fields/ecs.yml b/packages/system/0.10.7/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.10.7/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.10.7/data_stream/system/fields/winlog.yml b/packages/system/0.10.7/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.10.7/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.10.7/data_stream/system/manifest.yml b/packages/system/0.10.7/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.10.7/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.10.7/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.10.7/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.10.7/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.10.7/data_stream/uptime/fields/agent.yml b/packages/system/0.10.7/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.10.7/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.10.7/data_stream/uptime/fields/base-fields.yml b/packages/system/0.10.7/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.10.7/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.10.7/data_stream/uptime/fields/fields.yml b/packages/system/0.10.7/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.10.7/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.10.7/data_stream/uptime/manifest.yml b/packages/system/0.10.7/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.10.7/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.10.7/docs/README.md b/packages/system/0.10.7/docs/README.md deleted file mode 100644 index 1eda41bdc7..0000000000 --- a/packages/system/0.10.7/docs/README.md +++ /dev/null @@ -1,1505 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/system/0.10.7/img/kibana-system.png b/packages/system/0.10.7/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.10.7/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.10.7/img/metricbeat_system_dashboard.png b/packages/system/0.10.7/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.10.7/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.10.7/img/system.svg b/packages/system/0.10.7/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.10.7/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 9d68b58632..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 7da98e0bb3..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.7/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.7/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.7/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index 540e92afa8..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.10.7/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3b84253869..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.10.7/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.10.7/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.10.7/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 84aad582de..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Windows] Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index a07696c194..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index 6c4f14a5dc..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index b5991808e8..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b53893ec0b..0000000000 --- a/packages/system/0.10.7/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.7/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 10d5ce715b..0000000000 --- a/packages/system/0.10.7/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index ec69ccebaa..0000000000 --- a/packages/system/0.10.7/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.10.7/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.10.7/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.10.7/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 91d45bab3c..0000000000 --- a/packages/system/0.10.7/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 1bd6621baa..0000000000 --- a/packages/system/0.10.7/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 4c9ed9a936..0000000000 --- a/packages/system/0.10.7/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.7/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.10.7/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index b3f1a739c2..0000000000 --- a/packages/system/0.10.7/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-Syslog-system-logs.json b/packages/system/0.10.7/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.10.7/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.7/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.10.7/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index 5b5be57d8a..0000000000 --- a/packages/system/0.10.7/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.7/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.10.7/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index db20a1b618..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index b7fbd088c9..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f32dea29c7..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index d721026177..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2607f8fd31..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index d4b26791e8..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1ac0ee1d9e..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.7/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index b83be92e3b..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 7c02fda777..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index cbb90ccefd..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.10.7/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.10.7/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index d575a008f4..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index d295f417c9..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index ff552a8f5c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index 230afd3533..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1e26540902..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 53261fc01c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.7/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 8068877b7c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 49a69c673c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 8811d2fcc5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.10.7/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 05c35d70aa..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.10.7/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.7/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.10.7/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.10.7/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.10.7/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 6a74b71833..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index fe60146231..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 06b309b087..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index 50bafd8ae0..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 0ac18784c2..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.7/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.7/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 2a4dc48ec0..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 3498928704..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b1739398cc..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.10.7/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 2b09b957d8..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.7/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1b31f70efd..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 22ace52597..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index e51a4f6c2d..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.7/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index d661b47ed5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 038460f8d8..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index e922a79d5a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 52f84418d2..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.10.7/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index 477b1f68dc..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index f6b4c60558..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index e59b87fe2e..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.10.7/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 518d5a3d29..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.7/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 3f67d0f479..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index c6609a3868..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.10.7/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.7/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c72f8e5153..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index e3a4bff0ab..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 75a6d2bd66..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.7/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 144c9f5939..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c21da9bfaa..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.10.7/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index d3a0614741..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index 7a0ff70e3a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.7/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 8a0a024efd..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index ab68123774..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Event-Levels.json b/packages/system/0.10.7/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index 80ebd07044..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Navigation.json b/packages/system/0.10.7/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.10.7/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index cb42f617bc..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Number-of-Events.json b/packages/system/0.10.7/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index 34ecef7340..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Sources.json b/packages/system/0.10.7/kibana/visualization/system-Sources.json deleted file mode 100644 index b58d86fd65..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.10.7/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.10.7/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.10.7/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 0b4d5b0b54..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 518cd960e8..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f034e738b5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 4b46c3ba04..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.7/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index d044a29c62..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.10.7/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index e4c612104a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b6cc7ff318..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index a700234051..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 513dbaddd3..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index c98d3f5e36..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index fe48e7b912..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index bb0c73a3a4..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index de1586f827..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index afda910823..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index fcd8124618..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index 41614f49bc..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index dba47dfeb5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.10.7/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.10.7/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index e99dc25f2d..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 7ca4e94f3a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index 0ee0bcdde7..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.10.7/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.10.7/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.7/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index cfc0f94fdb..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.7/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index c7d09fcca9..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index dd9e80cc9f..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 9d80ae6078..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.10.7/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.10.7/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.10.7/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.10.7/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index a7cd570015..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index 3a7002cb8f..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.10.7/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 55dc58f665..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.10.7/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4d291cebd9..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 73b82c4743..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.10.7/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index fabadc2daa..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index 06ee29ce4d..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.10.7/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 54387b23c4..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.10.7/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index bc21df1e0a..0000000000 --- a/packages/system/0.10.7/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.10.7/manifest.yml b/packages/system/0.10.7/manifest.yml deleted file mode 100644 index 250efc01fc..0000000000 --- a/packages/system/0.10.7/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.10.7 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/system/0.11.0/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.11.0/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.11.0/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.11.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/application/fields/agent.yml b/packages/system/0.11.0/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/application/fields/base-fields.yml b/packages/system/0.11.0/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/application/fields/ecs.yml b/packages/system/0.11.0/data_stream/application/fields/ecs.yml deleted file mode 100644 index f283f085b0..0000000000 --- a/packages/system/0.11.0/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.11.0/data_stream/application/fields/winlog.yml b/packages/system/0.11.0/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.11.0/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.0/data_stream/application/manifest.yml b/packages/system/0.11.0/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.11.0/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.11.0/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.11.0/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 83450e45ea..0000000000 --- a/packages/system/0.11.0/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 7e825c58d1..0000000000 --- a/packages/system/0.11.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true - if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" -- grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' - - 'for user \"?%{DATA:_temp.foruser}\"?$' - - 'by user \"?%{DATA:_temp.byuser}\"?$' - if: ctx?.message != null && ctx?.message != "" -- rename: - field: _temp.byuser - target_field: user.name - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.byuid - target_field: user.id - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.foruser - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" -- rename: - field: _temp.foruser - target_field: user.effective.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name != null -- remove: - field: _temp - ignore_missing: true -- convert: - field: system.auth.sudo.user - target_field: user.effective.name - type: string - ignore_failure: true - if: ctx?.system?.auth?.sudo?.user != null -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - ignore_empty_value: true -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication","session"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - if: "ctx?.user?.name != null && ctx.user?.name != ''" -- append: - field: related.user - value: "{{user.effective.name}}" - allow_duplicates: false - if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx.source?.ip != ''" -- append: - field: related.hosts - value: "{{host.hostname}}" - allow_duplicates: false - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.11.0/data_stream/auth/fields/agent.yml b/packages/system/0.11.0/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/auth/fields/base-fields.yml b/packages/system/0.11.0/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/auth/fields/ecs.yml b/packages/system/0.11.0/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 1bd77bc20c..0000000000 --- a/packages/system/0.11.0/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: effective.name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hosts - type: keyword - description: All the host names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.11.0/data_stream/auth/fields/fields.yml b/packages/system/0.11.0/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.11.0/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.11.0/data_stream/auth/manifest.yml b/packages/system/0.11.0/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.11.0/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.11.0/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.11.0/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.11.0/data_stream/core/fields/agent.yml b/packages/system/0.11.0/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/core/fields/base-fields.yml b/packages/system/0.11.0/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/core/fields/ecs.yml b/packages/system/0.11.0/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.0/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/core/fields/fields.yml b/packages/system/0.11.0/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.11.0/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.11.0/data_stream/core/manifest.yml b/packages/system/0.11.0/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.11.0/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.11.0/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/cpu/fields/agent.yml b/packages/system/0.11.0/data_stream/cpu/fields/agent.yml deleted file mode 100644 index 3643534982..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.11.0/data_stream/cpu/fields/base-fields.yml b/packages/system/0.11.0/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/cpu/fields/ecs.yml b/packages/system/0.11.0/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/cpu/fields/fields.yml b/packages/system/0.11.0/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.11.0/data_stream/cpu/manifest.yml b/packages/system/0.11.0/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.11.0/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.11.0/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/diskio/fields/agent.yml b/packages/system/0.11.0/data_stream/diskio/fields/agent.yml deleted file mode 100644 index 54d97ab701..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.11.0/data_stream/diskio/fields/base-fields.yml b/packages/system/0.11.0/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/diskio/fields/ecs.yml b/packages/system/0.11.0/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/diskio/fields/fields.yml b/packages/system/0.11.0/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.11.0/data_stream/diskio/manifest.yml b/packages/system/0.11.0/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.11.0/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.11.0/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.11.0/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.11.0/data_stream/filesystem/fields/agent.yml b/packages/system/0.11.0/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.11.0/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/filesystem/fields/fields.yml b/packages/system/0.11.0/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.11.0/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.11.0/data_stream/filesystem/manifest.yml b/packages/system/0.11.0/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.11.0/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.11.0/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.11.0/data_stream/fsstat/fields/agent.yml b/packages/system/0.11.0/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.11.0/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/fsstat/fields/ecs.yml b/packages/system/0.11.0/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/fsstat/fields/fields.yml b/packages/system/0.11.0/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.11.0/data_stream/fsstat/manifest.yml b/packages/system/0.11.0/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.11.0/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.11.0/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b1403687c4..0000000000 --- a/packages/system/0.11.0/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/load/fields/agent.yml b/packages/system/0.11.0/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/load/fields/base-fields.yml b/packages/system/0.11.0/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/load/fields/ecs.yml b/packages/system/0.11.0/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.0/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/load/fields/fields.yml b/packages/system/0.11.0/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.11.0/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.11.0/data_stream/load/manifest.yml b/packages/system/0.11.0/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.11.0/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.11.0/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.11.0/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/memory/fields/agent.yml b/packages/system/0.11.0/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/memory/fields/base-fields.yml b/packages/system/0.11.0/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/memory/fields/ecs.yml b/packages/system/0.11.0/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.0/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/memory/fields/fields.yml b/packages/system/0.11.0/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.11.0/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.11.0/data_stream/memory/manifest.yml b/packages/system/0.11.0/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.11.0/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.11.0/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.11.0/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.11.0/data_stream/network/fields/agent.yml b/packages/system/0.11.0/data_stream/network/fields/agent.yml deleted file mode 100644 index e5afe01139..0000000000 --- a/packages/system/0.11.0/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.11.0/data_stream/network/fields/base-fields.yml b/packages/system/0.11.0/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/network/fields/ecs.yml b/packages/system/0.11.0/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.0/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.0/data_stream/network/fields/fields.yml b/packages/system/0.11.0/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.11.0/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.11.0/data_stream/network/manifest.yml b/packages/system/0.11.0/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.11.0/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.11.0/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index ea51aa86f4..0000000000 --- a/packages/system/0.11.0/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/process/fields/agent.yml b/packages/system/0.11.0/data_stream/process/fields/agent.yml deleted file mode 100644 index d5df59895a..0000000000 --- a/packages/system/0.11.0/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.11.0/data_stream/process/fields/base-fields.yml b/packages/system/0.11.0/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/process/fields/ecs.yml b/packages/system/0.11.0/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.11.0/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.0/data_stream/process/fields/fields.yml b/packages/system/0.11.0/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.11.0/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.11.0/data_stream/process/manifest.yml b/packages/system/0.11.0/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.11.0/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.11.0/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 298d89ea60..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/process_summary/fields/agent.yml b/packages/system/0.11.0/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.11.0/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/process_summary/fields/ecs.yml b/packages/system/0.11.0/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.0/data_stream/process_summary/fields/fields.yml b/packages/system/0.11.0/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.11.0/data_stream/process_summary/manifest.yml b/packages/system/0.11.0/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.11.0/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.11.0/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.11.0/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index ea60e77baf..0000000000 --- a/packages/system/0.11.0/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2053 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.6.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": ["process","end","logging-service-shutdown"], - "1102": ["iam", "admin", "audit-log-cleared"], - "1104": ["iam","admin","logging-full"], - "1105": ["iam","admin","auditlog-archieved"], - "1108": ["iam","admin","logging-processing-error"], - "4624": ["authentication","start","logged-in"], - "4625": ["authentication","start","logon-failed"], - "4634": ["authentication","end","logged-out"], - "4647": ["authentication","end","logged-out"], - "4648": ["authentication","start","logged-in-explicit"], - "4672": ["iam","admin","logged-in-special"], - "4673": ["iam","admin","privileged-service-called"], - "4674": ["iam","admin","privileged-operation"], - "4688": ["process","start","created-process"], - "4689": ["process", "end", "exited-process"], - "4697": ["iam","admin","service-installed"], - "4698": ["iam","creation","scheduled-task-created"], - "4699": ["iam","deletion","scheduled-task-deleted"], - "4700": ["iam","change","scheduled-task-enabled"], - "4701": ["iam","change","scheduled-task-disabled"], - "4702": ["iam","change","scheduled-task-updated"], - "4719": ["iam","admin","changed-audit-config"], - "4720": ["iam","creation","added-user-account"], - "4722": ["iam","creation","enabled-user-account"], - "4723": ["iam","change","changed-password"], - "4724": ["iam","change","reset-password"], - "4725": ["iam","deletion","disabled-user-account"], - "4726": ["iam","deletion","deleted-user-account"], - "4727": ["iam","creation","added-group-account"], - "4728": ["iam","change","added-member-to-group"], - "4729": ["iam","change","removed-member-from-group"], - "4730": ["iam","deletion","deleted-group-account"], - "4731": ["iam","creation","added-group-account"], - "4732": ["iam","change","added-member-to-group"], - "4733": ["iam","change","removed-member-from-group"], - "4734": ["iam","deletion","deleted-group-account"], - "4735": ["iam","change","modified-group-account"], - "4737": ["iam","change","modified-group-account"], - "4738": ["iam","change","modified-user-account"], - "4740": ["iam","change","locked-out-user-account"], - "4741": ["iam","creation","added-computer-account"], - "4742": ["iam","change","changed-computer-account"], - "4743": ["iam","deletion","deleted-computer-account"], - "4744": ["iam","creation","added-distribution-group-account"], - "4745": ["iam","change","changed-distribution-group-account"], - "4746": ["iam","change","added-member-to-distribution-group"], - "4747": ["iam","change","removed-member-from-distribution-group"], - "4748": ["iam","deletion","deleted-distribution-group-account"], - "4749": ["iam","creation","added-distribution-group-account"], - "4750": ["iam","change","changed-distribution-group-account"], - "4751": ["iam","change","added-member-to-distribution-group"], - "4752": ["iam","change","removed-member-from-distribution-group"], - "4753": ["iam","deletion","deleted-distribution-group-account"], - "4754": ["iam","creation","added-group-account"], - "4755": ["iam","change","modified-group-account"], - "4756": ["iam","change","added-member-to-group"], - "4757": ["iam","change","removed-member-from-group"], - "4758": ["iam","deletion","deleted-group-account"], - "4759": ["iam","creation","added-distribution-group-account"], - "4760": ["iam","change","changed-distribution-group-account"], - "4761": ["iam","change","added-member-to-distribution-group"], - "4762": ["iam","change","removed-member-from-distribution-group"], - "4763": ["iam","deletion","deleted-distribution-group-account"], - "4764": ["iam","change","type-changed-group-account"], - "4767": ["iam","change","unlocked-user-account"], - "4768": ["authentication","start","kerberos-authentication-ticket-requested"], - "4769": ["authentication","start","kerberos-service-ticket-requested"], - "4770": ["authentication","start","kerberos-service-ticket-renewed"], - "4771": ["authentication","start","kerberos-preauth-failed"], - "4776": ["authentication","start","credential-validated"], - "4778": ["authentication","start","session-reconnected"], - "4779": ["authentication","end","session-disconnected"], - "4781": ["iam","change","renamed-user-account","dummy"], - "4798": ["iam","info","group-membership-enumerated"], - "4799": ["iam","info","user-member-enumerated","dummy"], - "4964": ["iam","admin","logged-in-special"], - }; - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); - }) - .Build(); - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - evt.AppendTo("event.type", "user"); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "change"); - }) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "group"); - }) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - evt.AppendTo("event.type", "admin"); - }) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 4b6fecee0d..0000000000 --- a/packages/system/0.11.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.11.0/data_stream/security/fields/agent.yml b/packages/system/0.11.0/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/security/fields/base-fields.yml b/packages/system/0.11.0/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.11.0/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/security/fields/ecs.yml b/packages/system/0.11.0/data_stream/security/fields/ecs.yml deleted file mode 100644 index ccf9959fcb..0000000000 --- a/packages/system/0.11.0/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: Error message. - name: error.message - type: text -- description: The action captured by the event. - example: user-password-change - ignore_above: 1024 - name: event.action - type: keyword -- description: Event category. The second categorization field in the hierarchy. - example: authentication - ignore_above: 1024 - name: event.category - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Name of the module this data is coming from. - example: apache - ignore_above: 1024 - name: event.module - type: keyword -- description: Event type. The third categorization field in the hierarchy. - ignore_above: 1024 - name: event.type - type: keyword -- description: Name of the directory the group is a member of. - ignore_above: 1024 - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - name: group.id - type: keyword -- description: Name of the group. - ignore_above: 1024 - name: group.name - type: keyword -- description: Full command line that started the process. - example: /usr/bin/ssh -l user 10.0.0.16 - ignore_above: 1024 - multi_fields: - - flat_name: process.command_line.text - name: text - norms: false - type: text - name: process.command_line - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.executable.text - name: text - norms: false - type: text - name: process.executable - type: keyword -- description: Process name. - example: ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.name.text - name: text - norms: false - type: text - name: process.name - type: keyword -- description: Absolute path to the process executable. - example: /usr/bin/ssh - ignore_above: 1024 - multi_fields: - - flat_name: process.parent.executable.text - name: text - norms: false - type: text - name: process.parent.executable - type: keyword -- description: Process id. - example: 4242 - name: process.pid - type: long -- description: All the user names seen on your event. - ignore_above: 1024 - name: related.user - type: keyword -- description: Name of the service. - example: elasticsearch-metrics - ignore_above: 1024 - name: service.name - type: keyword -- description: The type of the service. - example: elasticsearch - ignore_above: 1024 - name: service.type - type: keyword -- description: Source domain. - ignore_above: 1024 - name: source.domain - type: keyword -- description: IP address of the source. - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Name of the directory the user is a member of. - ignore_above: 1024 - name: user.domain - type: keyword -- description: Unique identifier of the user. - ignore_above: 1024 - name: user.id - type: keyword -- description: Short name or login of the user. - example: albert - ignore_above: 1024 - multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text - name: user.name - type: keyword -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword -- description: Log level of the log event. - name: log.level - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: The outcome of the event. The lowest level categorization field in the hierarchy. - name: event.outcome - type: keyword diff --git a/packages/system/0.11.0/data_stream/security/fields/fields.yml b/packages/system/0.11.0/data_stream/security/fields/fields.yml deleted file mode 100644 index b8c2eedfc2..0000000000 --- a/packages/system/0.11.0/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: winlog - type: group - fields: - - name: logon - type: group - fields: - - name: type - type: keyword - description: | - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - name: id - type: keyword - description: | - Logon ID that can be used to associate this logon with other events related to the same logon session. - - name: failure.reason - type: keyword - description: | - The reason the logon failed. - - name: failure.status - type: keyword - description: | - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - name: failure.sub_status - type: keyword - description: | - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. diff --git a/packages/system/0.11.0/data_stream/security/fields/winlog.yml b/packages/system/0.11.0/data_stream/security/fields/winlog.yml deleted file mode 100644 index 1661dec6f1..0000000000 --- a/packages/system/0.11.0/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,365 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: NewTargetUserName - type: keyword - - name: OldTargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.0/data_stream/security/manifest.yml b/packages/system/0.11.0/data_stream/security/manifest.yml deleted file mode 100644 index a0f8b8b08e..0000000000 --- a/packages/system/0.11.0/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Collect Windows security logs' diff --git a/packages/system/0.11.0/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 98643a9111..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/socket_summary/fields/agent.yml b/packages/system/0.11.0/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.11.0/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.11.0/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.0/data_stream/socket_summary/fields/fields.yml b/packages/system/0.11.0/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.11.0/data_stream/socket_summary/manifest.yml b/packages/system/0.11.0/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.11.0/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.11.0/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.11.0/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.11.0/data_stream/syslog/fields/agent.yml b/packages/system/0.11.0/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/syslog/fields/base-fields.yml b/packages/system/0.11.0/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/syslog/fields/ecs.yml b/packages/system/0.11.0/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.11.0/data_stream/syslog/fields/fields.yml b/packages/system/0.11.0/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.11.0/data_stream/syslog/manifest.yml b/packages/system/0.11.0/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.11.0/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.11.0/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.11.0/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.11.0/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.11.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/system/fields/agent.yml b/packages/system/0.11.0/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/system/fields/base-fields.yml b/packages/system/0.11.0/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/system/fields/ecs.yml b/packages/system/0.11.0/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.11.0/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.11.0/data_stream/system/fields/winlog.yml b/packages/system/0.11.0/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.11.0/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.0/data_stream/system/manifest.yml b/packages/system/0.11.0/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.11.0/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.11.0/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.11.0/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.11.0/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.0/data_stream/uptime/fields/agent.yml b/packages/system/0.11.0/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.0/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.0/data_stream/uptime/fields/base-fields.yml b/packages/system/0.11.0/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.0/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.0/data_stream/uptime/fields/fields.yml b/packages/system/0.11.0/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.11.0/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.11.0/data_stream/uptime/manifest.yml b/packages/system/0.11.0/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.11.0/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.11.0/docs/README.md b/packages/system/0.11.0/docs/README.md deleted file mode 100644 index 594a1ea8cb..0000000000 --- a/packages/system/0.11.0/docs/README.md +++ /dev/null @@ -1,1638 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -In addition, when running inside a container the proc filesystem directory of the host -should be set using `system.hostfs` setting to `/hostfs`. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Logs - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | Event category. The second categorization field in the hierarchy. | keyword | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | The outcome of the event. The lowest level categorization field in the hierarchy. | keyword | -| event.type | Event type. The third categorization field in the hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Log level of the log event. | keyword | -| process.command_line | Full command line that started the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.pid | Process id. | long | -| related.user | All the user names seen on your event. | keyword | -| service.name | Name of the service. | keyword | -| service.type | The type of the service. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source. | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTargetUserName | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTargetUserName | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Auth - -The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| related.hosts | All the host names seen on your event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | -| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | -| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | -| system.auth.ssh.signature | The signature of the client public key. | keyword | -| system.auth.sudo.command | The command executed via sudo. | keyword | -| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | -| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | -| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | -| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | -| system.auth.useradd.home | The home folder for the new user. | keyword | -| system.auth.useradd.shell | The default shell for the new user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| version | Operating system version as a raw string. | keyword | - - -### syslog - -The `syslog` dataset provides system logs on linux and MacOS. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| version | Operating system version as a raw string. | keyword | - - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - diff --git a/packages/system/0.11.0/img/kibana-system.png b/packages/system/0.11.0/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.11.0/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.11.0/img/metricbeat_system_dashboard.png b/packages/system/0.11.0/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.11.0/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.11.0/img/system.svg b/packages/system/0.11.0/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.11.0/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 2af90db405..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 7da98e0bb3..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.11.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index d2a5ae3be2..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.11.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 81fed1fd24..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.11.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.11.0/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.11.0/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 2299940474..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[System] Windows Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index a07696c194..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index 31718aaa5d..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index b5991808e8..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b53893ec0b..0000000000 --- a/packages/system/0.11.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.11.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 855283756c..0000000000 --- a/packages/system/0.11.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index c8b43b2e5e..0000000000 --- a/packages/system/0.11.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.11.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.11.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.11.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 7da0171a43..0000000000 --- a/packages/system/0.11.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 1bd6621baa..0000000000 --- a/packages/system/0.11.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 6b0a39627c..0000000000 --- a/packages/system/0.11.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.11.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index daa2105b0b..0000000000 --- a/packages/system/0.11.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-Syslog-system-logs.json b/packages/system/0.11.0/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.11.0/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.11.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index 71bb7ef90e..0000000000 --- a/packages/system/0.11.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.11.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 990831f624..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index be217ccae6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ce6162e247..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5976994a0e..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index 4f9e00daa9..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 72d6ab928a..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 81a2dbc572..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index af34020d93..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index f297060faf..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index ed999cad48..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.11.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.11.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index 25769759b6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 8e66316843..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index 484d0a4e46..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index a9120ab5fe..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 856a3b952b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1a69934c0e..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5f69654d68..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 642657604a..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1665d338ef..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.11.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 38ebd23ecd..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.11.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.11.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.11.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.11.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index bb1b70ae03..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index 4a1aa9d3c1..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 17ebedc7ae..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index b23bd8e0c2..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 87a436f81d..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 65591c57a4..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index d8ddc0b1ed..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 453faebe12..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.11.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 75aeb12e0d..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6807ba0f16..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 45c348d026..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index b34bc8bc80..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index acd93693a8..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4e4497d0a4..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 13589095b5..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 520406bfb6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.11.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index ea065ce6e3..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index da850bf332..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index 2e5508620f..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.11.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 9f8332e30b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.11.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index de0df1178e..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index deaa80ec24..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.11.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 7a45abc403..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 09e960ac14..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 0849027a3c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index ef50f8a93f..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 2afa9ee825..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.11.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index ac78018683..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a227b7f0c3..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.11.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index aa6560812c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index d81092dc2b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Event-Levels.json b/packages/system/0.11.0/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index 80ebd07044..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Navigation.json b/packages/system/0.11.0/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.11.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index cb42f617bc..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Number-of-Events.json b/packages/system/0.11.0/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index 34ecef7340..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Sources.json b/packages/system/0.11.0/kibana/visualization/system-Sources.json deleted file mode 100644 index b58d86fd65..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.11.0/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.11.0/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.11.0/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 0b4d5b0b54..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 8337095049..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 40e5998021..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 920ea3a521..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 5353bdc134..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 4763c28e8b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1dc4eee51a..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index b6cba2acef..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 054ff48881..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows System Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index a9023084a8..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index a5489335cf..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b3357604ea..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index b3122f32a9..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 04eba5572b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index cfa442464c..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index a5502e1ded..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index e3028daa19..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.11.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.11.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 40d898c6e3..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f179ea214d..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index 7ff817a3ea..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.11.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.11.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index 4fbf0e757e..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index be99e9e1a7..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 29b2307260..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 27533dc793..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.11.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.11.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 8b24cd66d5..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index fa97c1bb70..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.11.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index de6a2d6e79..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 92704f61b4..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 9fe3b6d974..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index be6236125f..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index 48a9eef8da..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 4ca79e5282..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.11.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index a4964edb78..0000000000 --- a/packages/system/0.11.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.0/manifest.yml b/packages/system/0.11.0/manifest.yml deleted file mode 100644 index ca90ddf438..0000000000 --- a/packages/system/0.11.0/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.11.0 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics - vars: - - name: system.hostfs - type: text - title: Proc Filesystem Directory - multi: false - required: false - show_user: true - description: The proc filesystem base directory. -owner: - github: elastic/integrations-services diff --git a/packages/system/0.11.2/changelog.yml b/packages/system/0.11.2/changelog.yml deleted file mode 100644 index 496442d467..0000000000 --- a/packages/system/0.11.2/changelog.yml +++ /dev/null @@ -1,16 +0,0 @@ -# newer versions go on top -- version: "0.11.2" - changes: - - description: Update security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/728 -- version: "0.11.1" # unreleased - changes: - - description: remove duplicate ingest pipeline for syslog data stream - type: bugfix - link: https://github.com/elastic/integrations/pull/725 -- version: "0.0.3" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/8 diff --git a/packages/system/0.11.2/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.11.2/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100644 index e207b9ffd6..0000000000 --- a/packages/system/0.11.2/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index d239ad095f..0000000000 --- a/packages/system/0.11.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/application/fields/agent.yml b/packages/system/0.11.2/data_stream/application/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/application/fields/base-fields.yml b/packages/system/0.11.2/data_stream/application/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/application/fields/ecs.yml b/packages/system/0.11.2/data_stream/application/fields/ecs.yml deleted file mode 100644 index f283f085b0..0000000000 --- a/packages/system/0.11.2/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.11.2/data_stream/application/fields/winlog.yml b/packages/system/0.11.2/data_stream/application/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.11.2/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.2/data_stream/application/manifest.yml b/packages/system/0.11.2/data_stream/application/manifest.yml deleted file mode 100644 index 4fab87c07c..0000000000 --- a/packages/system/0.11.2/data_stream/application/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' diff --git a/packages/system/0.11.2/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.11.2/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 83450e45ea..0000000000 --- a/packages/system/0.11.2/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 7e825c58d1..0000000000 --- a/packages/system/0.11.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true - if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" -- grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' - - 'for user \"?%{DATA:_temp.foruser}\"?$' - - 'by user \"?%{DATA:_temp.byuser}\"?$' - if: ctx?.message != null && ctx?.message != "" -- rename: - field: _temp.byuser - target_field: user.name - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.byuid - target_field: user.id - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.foruser - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" -- rename: - field: _temp.foruser - target_field: user.effective.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name != null -- remove: - field: _temp - ignore_missing: true -- convert: - field: system.auth.sudo.user - target_field: user.effective.name - type: string - ignore_failure: true - if: ctx?.system?.auth?.sudo?.user != null -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - ignore_empty_value: true -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication","session"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - if: "ctx?.user?.name != null && ctx.user?.name != ''" -- append: - field: related.user - value: "{{user.effective.name}}" - allow_duplicates: false - if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx.source?.ip != ''" -- append: - field: related.hosts - value: "{{host.hostname}}" - allow_duplicates: false - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.11.2/data_stream/auth/fields/agent.yml b/packages/system/0.11.2/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/auth/fields/base-fields.yml b/packages/system/0.11.2/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/auth/fields/ecs.yml b/packages/system/0.11.2/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 1bd77bc20c..0000000000 --- a/packages/system/0.11.2/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: effective.name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hosts - type: keyword - description: All the host names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.11.2/data_stream/auth/fields/fields.yml b/packages/system/0.11.2/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.11.2/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.11.2/data_stream/auth/manifest.yml b/packages/system/0.11.2/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.11.2/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.11.2/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.11.2/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.11.2/data_stream/core/fields/agent.yml b/packages/system/0.11.2/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/core/fields/base-fields.yml b/packages/system/0.11.2/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/core/fields/ecs.yml b/packages/system/0.11.2/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.2/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/core/fields/fields.yml b/packages/system/0.11.2/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.11.2/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.11.2/data_stream/core/manifest.yml b/packages/system/0.11.2/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.11.2/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.11.2/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/cpu/fields/agent.yml b/packages/system/0.11.2/data_stream/cpu/fields/agent.yml deleted file mode 100644 index 3643534982..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.11.2/data_stream/cpu/fields/base-fields.yml b/packages/system/0.11.2/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/cpu/fields/ecs.yml b/packages/system/0.11.2/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/cpu/fields/fields.yml b/packages/system/0.11.2/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.11.2/data_stream/cpu/manifest.yml b/packages/system/0.11.2/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.11.2/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.11.2/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/diskio/fields/agent.yml b/packages/system/0.11.2/data_stream/diskio/fields/agent.yml deleted file mode 100644 index 54d97ab701..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.11.2/data_stream/diskio/fields/base-fields.yml b/packages/system/0.11.2/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/diskio/fields/ecs.yml b/packages/system/0.11.2/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/diskio/fields/fields.yml b/packages/system/0.11.2/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.11.2/data_stream/diskio/manifest.yml b/packages/system/0.11.2/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.11.2/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.11.2/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.11.2/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.11.2/data_stream/filesystem/fields/agent.yml b/packages/system/0.11.2/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.11.2/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/filesystem/fields/fields.yml b/packages/system/0.11.2/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.11.2/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.11.2/data_stream/filesystem/manifest.yml b/packages/system/0.11.2/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.11.2/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.11.2/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.11.2/data_stream/fsstat/fields/agent.yml b/packages/system/0.11.2/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.11.2/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/fsstat/fields/ecs.yml b/packages/system/0.11.2/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/fsstat/fields/fields.yml b/packages/system/0.11.2/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.11.2/data_stream/fsstat/manifest.yml b/packages/system/0.11.2/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.11.2/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.11.2/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b1403687c4..0000000000 --- a/packages/system/0.11.2/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/load/fields/agent.yml b/packages/system/0.11.2/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/load/fields/base-fields.yml b/packages/system/0.11.2/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/load/fields/ecs.yml b/packages/system/0.11.2/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.2/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/load/fields/fields.yml b/packages/system/0.11.2/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.11.2/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.11.2/data_stream/load/manifest.yml b/packages/system/0.11.2/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.11.2/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.11.2/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.11.2/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/memory/fields/agent.yml b/packages/system/0.11.2/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/memory/fields/base-fields.yml b/packages/system/0.11.2/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/memory/fields/ecs.yml b/packages/system/0.11.2/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.11.2/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/memory/fields/fields.yml b/packages/system/0.11.2/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.11.2/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.11.2/data_stream/memory/manifest.yml b/packages/system/0.11.2/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.11.2/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.11.2/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.11.2/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.11.2/data_stream/network/fields/agent.yml b/packages/system/0.11.2/data_stream/network/fields/agent.yml deleted file mode 100644 index e5afe01139..0000000000 --- a/packages/system/0.11.2/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.11.2/data_stream/network/fields/base-fields.yml b/packages/system/0.11.2/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/network/fields/ecs.yml b/packages/system/0.11.2/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.2/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.2/data_stream/network/fields/fields.yml b/packages/system/0.11.2/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.11.2/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.11.2/data_stream/network/manifest.yml b/packages/system/0.11.2/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.11.2/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.11.2/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index ea51aa86f4..0000000000 --- a/packages/system/0.11.2/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/process/fields/agent.yml b/packages/system/0.11.2/data_stream/process/fields/agent.yml deleted file mode 100644 index d5df59895a..0000000000 --- a/packages/system/0.11.2/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.11.2/data_stream/process/fields/base-fields.yml b/packages/system/0.11.2/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/process/fields/ecs.yml b/packages/system/0.11.2/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.11.2/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.11.2/data_stream/process/fields/fields.yml b/packages/system/0.11.2/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.11.2/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.11.2/data_stream/process/manifest.yml b/packages/system/0.11.2/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.11.2/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.11.2/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 298d89ea60..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/process_summary/fields/agent.yml b/packages/system/0.11.2/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.11.2/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/process_summary/fields/ecs.yml b/packages/system/0.11.2/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.2/data_stream/process_summary/fields/fields.yml b/packages/system/0.11.2/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.11.2/data_stream/process_summary/manifest.yml b/packages/system/0.11.2/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.11.2/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.11.2/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.11.2/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100644 index d121ba9c56..0000000000 --- a/packages/system/0.11.2/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2537 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 7675142444..0000000000 --- a/packages/system/0.11.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.11.2/data_stream/security/fields/agent.yml b/packages/system/0.11.2/data_stream/security/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/security/fields/base-fields.yml b/packages/system/0.11.2/data_stream/security/fields/base-fields.yml deleted file mode 100644 index a9a65458fc..0000000000 --- a/packages/system/0.11.2/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/security/fields/ecs.yml b/packages/system/0.11.2/data_stream/security/fields/ecs.yml deleted file mode 100644 index 2904a66ee3..0000000000 --- a/packages/system/0.11.2/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,244 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - example: ssh - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/system/0.11.2/data_stream/security/fields/fields.yml b/packages/system/0.11.2/data_stream/security/fields/fields.yml deleted file mode 100644 index 48deb4f52a..0000000000 --- a/packages/system/0.11.2/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - diff --git a/packages/system/0.11.2/data_stream/security/fields/winlog.yml b/packages/system/0.11.2/data_stream/security/fields/winlog.yml deleted file mode 100644 index 4ac76fdcdc..0000000000 --- a/packages/system/0.11.2/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.2/data_stream/security/manifest.yml b/packages/system/0.11.2/data_stream/security/manifest.yml deleted file mode 100644 index c1251238cf..0000000000 --- a/packages/system/0.11.2/data_stream/security/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Security channel' diff --git a/packages/system/0.11.2/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 98643a9111..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/socket_summary/fields/agent.yml b/packages/system/0.11.2/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.11.2/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.11.2/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.11.2/data_stream/socket_summary/fields/fields.yml b/packages/system/0.11.2/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.11.2/data_stream/socket_summary/manifest.yml b/packages/system/0.11.2/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.11.2/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.11.2/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.11.2/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index b71c6624a7..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.11.2/data_stream/syslog/fields/agent.yml b/packages/system/0.11.2/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/syslog/fields/base-fields.yml b/packages/system/0.11.2/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/syslog/fields/ecs.yml b/packages/system/0.11.2/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.11.2/data_stream/syslog/fields/fields.yml b/packages/system/0.11.2/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.11.2/data_stream/syslog/manifest.yml b/packages/system/0.11.2/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.11.2/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.11.2/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.11.2/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100644 index 47df93c51d..0000000000 --- a/packages/system/0.11.2/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.11.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7e885a2f..0000000000 --- a/packages/system/0.11.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/system/fields/agent.yml b/packages/system/0.11.2/data_stream/system/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/system/fields/base-fields.yml b/packages/system/0.11.2/data_stream/system/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/system/fields/ecs.yml b/packages/system/0.11.2/data_stream/system/fields/ecs.yml deleted file mode 100644 index e1817f5ca6..0000000000 --- a/packages/system/0.11.2/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.11.2/data_stream/system/fields/winlog.yml b/packages/system/0.11.2/data_stream/system/fields/winlog.yml deleted file mode 100644 index adca1bbdd0..0000000000 --- a/packages/system/0.11.2/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.11.2/data_stream/system/manifest.yml b/packages/system/0.11.2/data_stream/system/manifest.yml deleted file mode 100644 index e9bec4fd1e..0000000000 --- a/packages/system/0.11.2/data_stream/system/manifest.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' diff --git a/packages/system/0.11.2/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.11.2/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.11.2/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.11.2/data_stream/uptime/fields/agent.yml b/packages/system/0.11.2/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.11.2/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.11.2/data_stream/uptime/fields/base-fields.yml b/packages/system/0.11.2/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.11.2/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.11.2/data_stream/uptime/fields/fields.yml b/packages/system/0.11.2/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.11.2/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.11.2/data_stream/uptime/manifest.yml b/packages/system/0.11.2/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.11.2/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.11.2/docs/README.md b/packages/system/0.11.2/docs/README.md deleted file mode 100644 index b4827024bb..0000000000 --- a/packages/system/0.11.2/docs/README.md +++ /dev/null @@ -1,1650 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -In addition, when running inside a container the proc filesystem directory of the host -should be set using `system.hostfs` setting to `/hostfs`. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Logs - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Auth - -The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| related.hosts | All the host names seen on your event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | -| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | -| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | -| system.auth.ssh.signature | The signature of the client public key. | keyword | -| system.auth.sudo.command | The command executed via sudo. | keyword | -| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | -| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | -| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | -| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | -| system.auth.useradd.home | The home folder for the new user. | keyword | -| system.auth.useradd.shell | The default shell for the new user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| version | Operating system version as a raw string. | keyword | - - -### syslog - -The `syslog` dataset provides system logs on linux and MacOS. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| version | Operating system version as a raw string. | keyword | - - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - diff --git a/packages/system/0.11.2/img/kibana-system.png b/packages/system/0.11.2/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.11.2/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.11.2/img/metricbeat_system_dashboard.png b/packages/system/0.11.2/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.11.2/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.11.2/img/system.svg b/packages/system/0.11.2/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.11.2/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index 2af90db405..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 7da98e0bb3..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.11.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index d2a5ae3be2..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.11.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 81fed1fd24..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.11.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.11.2/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.11.2/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100644 index 2299940474..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[System] Windows Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index a07696c194..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100644 index 31718aaa5d..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index b5991808e8..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b53893ec0b..0000000000 --- a/packages/system/0.11.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.11.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 855283756c..0000000000 --- a/packages/system/0.11.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index c8b43b2e5e..0000000000 --- a/packages/system/0.11.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.11.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.11.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.11.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 7da0171a43..0000000000 --- a/packages/system/0.11.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index 1bd6621baa..0000000000 --- a/packages/system/0.11.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 6b0a39627c..0000000000 --- a/packages/system/0.11.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.11.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index daa2105b0b..0000000000 --- a/packages/system/0.11.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-Syslog-system-logs.json b/packages/system/0.11.2/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.11.2/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.11.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100644 index 71bb7ef90e..0000000000 --- a/packages/system/0.11.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.11.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 990831f624..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index be217ccae6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index ce6162e247..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 5976994a0e..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100644 index 4f9e00daa9..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 72d6ab928a..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 81a2dbc572..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index af34020d93..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index f297060faf..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100644 index ed999cad48..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.11.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.11.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100644 index 25769759b6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 8e66316843..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index 484d0a4e46..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100644 index a9120ab5fe..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 856a3b952b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1a69934c0e..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 5f69654d68..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 642657604a..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 1665d338ef..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.11.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 38ebd23ecd..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.11.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.11.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.11.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.11.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index bb1b70ae03..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100644 index 4a1aa9d3c1..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 17ebedc7ae..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100644 index b23bd8e0c2..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 87a436f81d..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100644 index 65591c57a4..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index d8ddc0b1ed..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 453faebe12..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.11.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100644 index 75aeb12e0d..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 6807ba0f16..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 45c348d026..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index b34bc8bc80..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100644 index acd93693a8..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 4e4497d0a4..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100644 index 13589095b5..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 520406bfb6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.11.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100644 index ea065ce6e3..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100644 index da850bf332..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index 2e5508620f..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.11.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100644 index 9f8332e30b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.11.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index de0df1178e..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100644 index deaa80ec24..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.11.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 7a45abc403..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 09e960ac14..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 0849027a3c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index ef50f8a93f..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 2afa9ee825..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.11.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100644 index ac78018683..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index a227b7f0c3..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.11.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index aa6560812c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index d81092dc2b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Event-Levels.json b/packages/system/0.11.2/kibana/visualization/system-Event-Levels.json deleted file mode 100644 index 80ebd07044..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Navigation.json b/packages/system/0.11.2/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.11.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100644 index cb42f617bc..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Number-of-Events.json b/packages/system/0.11.2/kibana/visualization/system-Number-of-Events.json deleted file mode 100644 index 34ecef7340..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Sources.json b/packages/system/0.11.2/kibana/visualization/system-Sources.json deleted file mode 100644 index b58d86fd65..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.11.2/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.11.2/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.11.2/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100644 index 0b4d5b0b54..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100644 index 8337095049..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 40e5998021..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100644 index 920ea3a521..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 5353bdc134..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.11.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100644 index 4763c28e8b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 1dc4eee51a..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index b6cba2acef..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 054ff48881..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows System Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index a9023084a8..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index a5489335cf..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100644 index b3357604ea..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100644 index b3122f32a9..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100644 index 04eba5572b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100644 index cfa442464c..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100644 index a5502e1ded..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index e3028daa19..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.11.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.11.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100644 index 40d898c6e3..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100644 index f179ea214d..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100644 index 7ff817a3ea..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.11.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.11.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100644 index 4fbf0e757e..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100644 index be99e9e1a7..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 29b2307260..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 27533dc793..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.11.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.11.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.11.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.11.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100644 index 8b24cd66d5..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100644 index fa97c1bb70..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.11.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100644 index de6a2d6e79..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.11.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100644 index 92704f61b4..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100644 index 9fe3b6d974..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.11.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100644 index be6236125f..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100644 index 48a9eef8da..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.11.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100644 index 4ca79e5282..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.11.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100644 index a4964edb78..0000000000 --- a/packages/system/0.11.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.11.2/manifest.yml b/packages/system/0.11.2/manifest.yml deleted file mode 100644 index c829a8a164..0000000000 --- a/packages/system/0.11.2/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.11.2 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.11.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics - vars: - - name: system.hostfs - type: text - title: Proc Filesystem Directory - multi: false - required: false - show_user: true - description: The proc filesystem base directory. -owner: - github: elastic/integrations-services diff --git a/packages/system/0.12.0/changelog.yml b/packages/system/0.12.0/changelog.yml deleted file mode 100755 index 1629a6e6c1..0000000000 --- a/packages/system/0.12.0/changelog.yml +++ /dev/null @@ -1,29 +0,0 @@ -# newer versions go on top -- version: "0.12.0" - changes: - - description: Add Splunk input for application, system, and security data streams. - type: enhancement - link: https://github.com/elastic/integrations/pull/890 -- version: "0.11.3" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/874 -- version: "0.11.2" - changes: - - description: Update security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/728 -- version: "0.11.1" # unreleased - changes: - - description: remove duplicate ingest pipeline for syslog data stream - type: bugfix - link: https://github.com/elastic/integrations/pull/725 -- version: "0.0.3" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/8 diff --git a/packages/system/0.12.0/data_stream/application/agent/stream/httpjson.yml.hbs b/packages/system/0.12.0/data_stream/application/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33eabae7d5..0000000000 --- a/packages/system/0.12.0/data_stream/application/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml: - field: event.original - target_field: winlog - schema: wineventlog - ignore_missing: true - ignore_failure: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.0/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.12.0/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100755 index e207b9ffd6..0000000000 --- a/packages/system/0.12.0/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d239ad095f..0000000000 --- a/packages/system/0.12.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/application/fields/agent.yml b/packages/system/0.12.0/data_stream/application/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/application/fields/base-fields.yml b/packages/system/0.12.0/data_stream/application/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/application/fields/ecs.yml b/packages/system/0.12.0/data_stream/application/fields/ecs.yml deleted file mode 100755 index f283f085b0..0000000000 --- a/packages/system/0.12.0/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.12.0/data_stream/application/fields/winlog.yml b/packages/system/0.12.0/data_stream/application/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.0/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.0/data_stream/application/manifest.yml b/packages/system/0.12.0/data_stream/application/manifest.yml deleted file mode 100755 index 3d9d689e7a..0000000000 --- a/packages/system/0.12.0/data_stream/application/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' - - input: httpjson - title: Windows Application Events via Splunk Enterprise REST API - description: Collect Application Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Application\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.0/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.12.0/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.0/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7e825c58d1..0000000000 --- a/packages/system/0.12.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true - if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" -- grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' - - 'for user \"?%{DATA:_temp.foruser}\"?$' - - 'by user \"?%{DATA:_temp.byuser}\"?$' - if: ctx?.message != null && ctx?.message != "" -- rename: - field: _temp.byuser - target_field: user.name - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.byuid - target_field: user.id - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.foruser - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" -- rename: - field: _temp.foruser - target_field: user.effective.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name != null -- remove: - field: _temp - ignore_missing: true -- convert: - field: system.auth.sudo.user - target_field: user.effective.name - type: string - ignore_failure: true - if: ctx?.system?.auth?.sudo?.user != null -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - ignore_empty_value: true -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication","session"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - if: "ctx?.user?.name != null && ctx.user?.name != ''" -- append: - field: related.user - value: "{{user.effective.name}}" - allow_duplicates: false - if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx.source?.ip != ''" -- append: - field: related.hosts - value: "{{host.hostname}}" - allow_duplicates: false - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.0/data_stream/auth/fields/agent.yml b/packages/system/0.12.0/data_stream/auth/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/auth/fields/base-fields.yml b/packages/system/0.12.0/data_stream/auth/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/auth/fields/ecs.yml b/packages/system/0.12.0/data_stream/auth/fields/ecs.yml deleted file mode 100755 index 1bd77bc20c..0000000000 --- a/packages/system/0.12.0/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: effective.name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hosts - type: keyword - description: All the host names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.12.0/data_stream/auth/fields/fields.yml b/packages/system/0.12.0/data_stream/auth/fields/fields.yml deleted file mode 100755 index 1e7b044f02..0000000000 --- a/packages/system/0.12.0/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.12.0/data_stream/auth/manifest.yml b/packages/system/0.12.0/data_stream/auth/manifest.yml deleted file mode 100755 index 428764ece1..0000000000 --- a/packages/system/0.12.0/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.12.0/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100755 index 38d25572bd..0000000000 --- a/packages/system/0.12.0/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.0/data_stream/core/fields/agent.yml b/packages/system/0.12.0/data_stream/core/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/core/fields/base-fields.yml b/packages/system/0.12.0/data_stream/core/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/core/fields/ecs.yml b/packages/system/0.12.0/data_stream/core/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.0/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/core/fields/fields.yml b/packages/system/0.12.0/data_stream/core/fields/fields.yml deleted file mode 100755 index dab186321f..0000000000 --- a/packages/system/0.12.0/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.12.0/data_stream/core/manifest.yml b/packages/system/0.12.0/data_stream/core/manifest.yml deleted file mode 100755 index f7e0e5a825..0000000000 --- a/packages/system/0.12.0/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.12.0/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100755 index cd0de8d3d9..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/cpu/fields/agent.yml b/packages/system/0.12.0/data_stream/cpu/fields/agent.yml deleted file mode 100755 index 3643534982..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.12.0/data_stream/cpu/fields/base-fields.yml b/packages/system/0.12.0/data_stream/cpu/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/cpu/fields/ecs.yml b/packages/system/0.12.0/data_stream/cpu/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/cpu/fields/fields.yml b/packages/system/0.12.0/data_stream/cpu/fields/fields.yml deleted file mode 100755 index 9efed64c2d..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.12.0/data_stream/cpu/manifest.yml b/packages/system/0.12.0/data_stream/cpu/manifest.yml deleted file mode 100755 index 0388136d11..0000000000 --- a/packages/system/0.12.0/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.12.0/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100755 index 689369ee25..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/diskio/fields/agent.yml b/packages/system/0.12.0/data_stream/diskio/fields/agent.yml deleted file mode 100755 index 54d97ab701..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.0/data_stream/diskio/fields/base-fields.yml b/packages/system/0.12.0/data_stream/diskio/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/diskio/fields/ecs.yml b/packages/system/0.12.0/data_stream/diskio/fields/ecs.yml deleted file mode 100755 index 9a7eeefc56..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/diskio/fields/fields.yml b/packages/system/0.12.0/data_stream/diskio/fields/fields.yml deleted file mode 100755 index 01a5762c60..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.0/data_stream/diskio/manifest.yml b/packages/system/0.12.0/data_stream/diskio/manifest.yml deleted file mode 100755 index 320f708bef..0000000000 --- a/packages/system/0.12.0/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.12.0/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100755 index d21fbd9919..0000000000 --- a/packages/system/0.12.0/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.0/data_stream/filesystem/fields/agent.yml b/packages/system/0.12.0/data_stream/filesystem/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.12.0/data_stream/filesystem/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/filesystem/fields/fields.yml b/packages/system/0.12.0/data_stream/filesystem/fields/fields.yml deleted file mode 100755 index d7b44199a8..0000000000 --- a/packages/system/0.12.0/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.12.0/data_stream/filesystem/manifest.yml b/packages/system/0.12.0/data_stream/filesystem/manifest.yml deleted file mode 100755 index 2cc3f159a7..0000000000 --- a/packages/system/0.12.0/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.12.0/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100755 index fc5ebe911d..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.0/data_stream/fsstat/fields/agent.yml b/packages/system/0.12.0/data_stream/fsstat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.12.0/data_stream/fsstat/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/fsstat/fields/ecs.yml b/packages/system/0.12.0/data_stream/fsstat/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/fsstat/fields/fields.yml b/packages/system/0.12.0/data_stream/fsstat/fields/fields.yml deleted file mode 100755 index aab998a85d..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.12.0/data_stream/fsstat/manifest.yml b/packages/system/0.12.0/data_stream/fsstat/manifest.yml deleted file mode 100755 index 8e63d20df1..0000000000 --- a/packages/system/0.12.0/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.12.0/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100755 index b1403687c4..0000000000 --- a/packages/system/0.12.0/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/load/fields/agent.yml b/packages/system/0.12.0/data_stream/load/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/load/fields/base-fields.yml b/packages/system/0.12.0/data_stream/load/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/load/fields/ecs.yml b/packages/system/0.12.0/data_stream/load/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.0/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/load/fields/fields.yml b/packages/system/0.12.0/data_stream/load/fields/fields.yml deleted file mode 100755 index ae0130faef..0000000000 --- a/packages/system/0.12.0/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.12.0/data_stream/load/manifest.yml b/packages/system/0.12.0/data_stream/load/manifest.yml deleted file mode 100755 index 486e57b779..0000000000 --- a/packages/system/0.12.0/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.12.0/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100755 index 0d49de061f..0000000000 --- a/packages/system/0.12.0/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/memory/fields/agent.yml b/packages/system/0.12.0/data_stream/memory/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/memory/fields/base-fields.yml b/packages/system/0.12.0/data_stream/memory/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/memory/fields/ecs.yml b/packages/system/0.12.0/data_stream/memory/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.0/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/memory/fields/fields.yml b/packages/system/0.12.0/data_stream/memory/fields/fields.yml deleted file mode 100755 index 55488d61eb..0000000000 --- a/packages/system/0.12.0/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.12.0/data_stream/memory/manifest.yml b/packages/system/0.12.0/data_stream/memory/manifest.yml deleted file mode 100755 index aeb17b0bd0..0000000000 --- a/packages/system/0.12.0/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.12.0/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100755 index a3aeb928ae..0000000000 --- a/packages/system/0.12.0/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.0/data_stream/network/fields/agent.yml b/packages/system/0.12.0/data_stream/network/fields/agent.yml deleted file mode 100755 index e5afe01139..0000000000 --- a/packages/system/0.12.0/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.12.0/data_stream/network/fields/base-fields.yml b/packages/system/0.12.0/data_stream/network/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/network/fields/ecs.yml b/packages/system/0.12.0/data_stream/network/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.0/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.0/data_stream/network/fields/fields.yml b/packages/system/0.12.0/data_stream/network/fields/fields.yml deleted file mode 100755 index a309d88ba0..0000000000 --- a/packages/system/0.12.0/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.12.0/data_stream/network/manifest.yml b/packages/system/0.12.0/data_stream/network/manifest.yml deleted file mode 100755 index b9878b3e64..0000000000 --- a/packages/system/0.12.0/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.12.0/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100755 index ea51aa86f4..0000000000 --- a/packages/system/0.12.0/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/process/fields/agent.yml b/packages/system/0.12.0/data_stream/process/fields/agent.yml deleted file mode 100755 index d5df59895a..0000000000 --- a/packages/system/0.12.0/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.12.0/data_stream/process/fields/base-fields.yml b/packages/system/0.12.0/data_stream/process/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/process/fields/ecs.yml b/packages/system/0.12.0/data_stream/process/fields/ecs.yml deleted file mode 100755 index 7e409c1793..0000000000 --- a/packages/system/0.12.0/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.0/data_stream/process/fields/fields.yml b/packages/system/0.12.0/data_stream/process/fields/fields.yml deleted file mode 100755 index 4dc7b1aab2..0000000000 --- a/packages/system/0.12.0/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.12.0/data_stream/process/manifest.yml b/packages/system/0.12.0/data_stream/process/manifest.yml deleted file mode 100755 index fd982eb931..0000000000 --- a/packages/system/0.12.0/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.12.0/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 298d89ea60..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/process_summary/fields/agent.yml b/packages/system/0.12.0/data_stream/process_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.12.0/data_stream/process_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/process_summary/fields/ecs.yml b/packages/system/0.12.0/data_stream/process_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.0/data_stream/process_summary/fields/fields.yml b/packages/system/0.12.0/data_stream/process_summary/fields/fields.yml deleted file mode 100755 index bc9254a2ae..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.12.0/data_stream/process_summary/manifest.yml b/packages/system/0.12.0/data_stream/process_summary/manifest.yml deleted file mode 100755 index cd89d30b94..0000000000 --- a/packages/system/0.12.0/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.12.0/data_stream/security/agent/stream/httpjson.yml.hbs b/packages/system/0.12.0/data_stream/security/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 85cc4e5cd9..0000000000 --- a/packages/system/0.12.0/data_stream/security/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,2620 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml: - field: event.original - target_field: winlog - schema: wineventlog - ignore_missing: true - ignore_failure: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.12.0/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100755 index 7a08288aa0..0000000000 --- a/packages/system/0.12.0/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2537 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } diff --git a/packages/system/0.12.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7675142444..0000000000 --- a/packages/system/0.12.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.12.0/data_stream/security/fields/agent.yml b/packages/system/0.12.0/data_stream/security/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/security/fields/base-fields.yml b/packages/system/0.12.0/data_stream/security/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/system/0.12.0/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/security/fields/ecs.yml b/packages/system/0.12.0/data_stream/security/fields/ecs.yml deleted file mode 100755 index 2904a66ee3..0000000000 --- a/packages/system/0.12.0/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,244 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - example: ssh - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/system/0.12.0/data_stream/security/fields/fields.yml b/packages/system/0.12.0/data_stream/security/fields/fields.yml deleted file mode 100755 index 48deb4f52a..0000000000 --- a/packages/system/0.12.0/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - diff --git a/packages/system/0.12.0/data_stream/security/fields/winlog.yml b/packages/system/0.12.0/data_stream/security/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/system/0.12.0/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.0/data_stream/security/manifest.yml b/packages/system/0.12.0/data_stream/security/manifest.yml deleted file mode 100755 index c2de21a474..0000000000 --- a/packages/system/0.12.0/data_stream/security/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Security channel' - - input: httpjson - title: Windows Security Events via Splunk Enterprise REST API - description: Collect Security Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Security\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.0/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 98643a9111..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/socket_summary/fields/agent.yml b/packages/system/0.12.0/data_stream/socket_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.12.0/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.12.0/data_stream/socket_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.0/data_stream/socket_summary/fields/fields.yml b/packages/system/0.12.0/data_stream/socket_summary/fields/fields.yml deleted file mode 100755 index fca58be0c8..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.12.0/data_stream/socket_summary/manifest.yml b/packages/system/0.12.0/data_stream/socket_summary/manifest.yml deleted file mode 100755 index 119109fe70..0000000000 --- a/packages/system/0.12.0/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.12.0/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.12.0/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b71c6624a7..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.0/data_stream/syslog/fields/agent.yml b/packages/system/0.12.0/data_stream/syslog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/syslog/fields/base-fields.yml b/packages/system/0.12.0/data_stream/syslog/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/syslog/fields/ecs.yml b/packages/system/0.12.0/data_stream/syslog/fields/ecs.yml deleted file mode 100755 index 6177e5856f..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.12.0/data_stream/syslog/fields/fields.yml b/packages/system/0.12.0/data_stream/syslog/fields/fields.yml deleted file mode 100755 index f933686930..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.12.0/data_stream/syslog/manifest.yml b/packages/system/0.12.0/data_stream/syslog/manifest.yml deleted file mode 100755 index 1aa1fe9412..0000000000 --- a/packages/system/0.12.0/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.12.0/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/system/0.12.0/data_stream/system/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33eabae7d5..0000000000 --- a/packages/system/0.12.0/data_stream/system/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml: - field: event.original - target_field: winlog - schema: wineventlog - ignore_missing: true - ignore_failure: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.0/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.12.0/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100755 index 47df93c51d..0000000000 --- a/packages/system/0.12.0/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9f7e885a2f..0000000000 --- a/packages/system/0.12.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/system/fields/agent.yml b/packages/system/0.12.0/data_stream/system/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/system/fields/base-fields.yml b/packages/system/0.12.0/data_stream/system/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/system/fields/ecs.yml b/packages/system/0.12.0/data_stream/system/fields/ecs.yml deleted file mode 100755 index e1817f5ca6..0000000000 --- a/packages/system/0.12.0/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.12.0/data_stream/system/fields/winlog.yml b/packages/system/0.12.0/data_stream/system/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.0/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.0/data_stream/system/manifest.yml b/packages/system/0.12.0/data_stream/system/manifest.yml deleted file mode 100755 index 6bc5b0c3e2..0000000000 --- a/packages/system/0.12.0/data_stream/system/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' - - input: httpjson - title: Windows System Events via Splunk Enterprise REST API - description: Collect System Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:System\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.0/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.12.0/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100755 index 810f6a1f3e..0000000000 --- a/packages/system/0.12.0/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.0/data_stream/uptime/fields/agent.yml b/packages/system/0.12.0/data_stream/uptime/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.0/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.0/data_stream/uptime/fields/base-fields.yml b/packages/system/0.12.0/data_stream/uptime/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.0/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.0/data_stream/uptime/fields/fields.yml b/packages/system/0.12.0/data_stream/uptime/fields/fields.yml deleted file mode 100755 index 7c61a13721..0000000000 --- a/packages/system/0.12.0/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.12.0/data_stream/uptime/manifest.yml b/packages/system/0.12.0/data_stream/uptime/manifest.yml deleted file mode 100755 index d1fc1f1579..0000000000 --- a/packages/system/0.12.0/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.12.0/docs/README.md b/packages/system/0.12.0/docs/README.md deleted file mode 100755 index b4827024bb..0000000000 --- a/packages/system/0.12.0/docs/README.md +++ /dev/null @@ -1,1650 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -In addition, when running inside a container the proc filesystem directory of the host -should be set using `system.hostfs` setting to `/hostfs`. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Logs - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Auth - -The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| related.hosts | All the host names seen on your event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | -| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | -| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | -| system.auth.ssh.signature | The signature of the client public key. | keyword | -| system.auth.sudo.command | The command executed via sudo. | keyword | -| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | -| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | -| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | -| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | -| system.auth.useradd.home | The home folder for the new user. | keyword | -| system.auth.useradd.shell | The default shell for the new user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| version | Operating system version as a raw string. | keyword | - - -### syslog - -The `syslog` dataset provides system logs on linux and MacOS. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| version | Operating system version as a raw string. | keyword | - - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - diff --git a/packages/system/0.12.0/img/kibana-system.png b/packages/system/0.12.0/img/kibana-system.png deleted file mode 100755 index 8741a56624..0000000000 Binary files a/packages/system/0.12.0/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.12.0/img/metricbeat_system_dashboard.png b/packages/system/0.12.0/img/metricbeat_system_dashboard.png deleted file mode 100755 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.12.0/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.12.0/img/system.svg b/packages/system/0.12.0/img/system.svg deleted file mode 100755 index 0aba96275e..0000000000 --- a/packages/system/0.12.0/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index 2af90db405..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 7da98e0bb3..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 8814d936cf..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 7c1b819642..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 34f78d0da6..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index d2a5ae3be2..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.12.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100755 index 4dba98af12..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 81fed1fd24..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.12.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100755 index e853fd4613..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.12.0/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100755 index 286c979eb2..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.12.0/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100755 index 2299940474..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[System] Windows Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index a07696c194..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100755 index 31718aaa5d..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index b5991808e8..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b53893ec0b..0000000000 --- a/packages/system/0.12.0/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 855283756c..0000000000 --- a/packages/system/0.12.0/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100755 index c8b43b2e5e..0000000000 --- a/packages/system/0.12.0/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.12.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100755 index abdd218801..0000000000 --- a/packages/system/0.12.0/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 7da0171a43..0000000000 --- a/packages/system/0.12.0/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100755 index 1bd6621baa..0000000000 --- a/packages/system/0.12.0/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100755 index 6b0a39627c..0000000000 --- a/packages/system/0.12.0/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index ae1484339a..0000000000 --- a/packages/system/0.12.0/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100755 index daa2105b0b..0000000000 --- a/packages/system/0.12.0/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-Syslog-system-logs.json b/packages/system/0.12.0/kibana/search/system-Syslog-system-logs.json deleted file mode 100755 index 6a2ef982d2..0000000000 --- a/packages/system/0.12.0/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index e64a483853..0000000000 --- a/packages/system/0.12.0/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100755 index 71bb7ef90e..0000000000 --- a/packages/system/0.12.0/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index e05ac92d9b..0000000000 --- a/packages/system/0.12.0/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 990831f624..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index be217ccae6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index ce6162e247..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 40175102f6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 5976994a0e..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100755 index 4f9e00daa9..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 72d6ab928a..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 81a2dbc572..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8c5d8b0366..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index af34020d93..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index f297060faf..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100755 index ed999cad48..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.12.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100755 index dfaa630e4a..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.12.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 1c420ec4c8..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100755 index 25769759b6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 8e66316843..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 484d0a4e46..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100755 index a9120ab5fe..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 856a3b952b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1a69934c0e..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 2ca5154a30..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 5f69654d68..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 642657604a..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 1665d338ef..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 75186de954..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.12.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100755 index 464f6c729c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 38ebd23ecd..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index f155739938..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 0ad2f78f65..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.12.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 89d9b0fae2..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.12.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100755 index c9e1455d68..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.12.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100755 index 467738abc7..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index bb1b70ae03..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100755 index 4a1aa9d3c1..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 17ebedc7ae..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100755 index b23bd8e0c2..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 87a436f81d..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100755 index cd04472792..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 4bdb84e270..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index efa1f752dd..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bd07f29ec0..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100755 index 65591c57a4..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index d8ddc0b1ed..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 453faebe12..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.12.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100755 index e5419418c6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 75aeb12e0d..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 112d3d6530..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 6807ba0f16..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 45c348d026..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b34bc8bc80..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index bc04c92dd4..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100755 index acd93693a8..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 4e4497d0a4..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100755 index 13589095b5..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 520406bfb6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.12.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100755 index 22a26c29d4..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100755 index ea065ce6e3..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index da850bf332..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index 2e5508620f..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.12.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100755 index c119c156ea..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index 9f8332e30b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index e89f3a3690..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index de0df1178e..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100755 index deaa80ec24..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.12.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100755 index 172b24f43c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index dc7c7ab1d6..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 7a45abc403..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100755 index ae48f968a3..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 09e960ac14..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 0849027a3c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index ef50f8a93f..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 2afa9ee825..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.12.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 172bcb8f2c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index ac78018683..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index a227b7f0c3..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index 66e166e22e..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index aa6560812c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index d81092dc2b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Event-Levels.json b/packages/system/0.12.0/kibana/visualization/system-Event-Levels.json deleted file mode 100755 index 80ebd07044..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Navigation.json b/packages/system/0.12.0/kibana/visualization/system-Navigation.json deleted file mode 100755 index d996678974..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.12.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100755 index cb42f617bc..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Number-of-Events.json b/packages/system/0.12.0/kibana/visualization/system-Number-of-Events.json deleted file mode 100755 index 34ecef7340..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Sources.json b/packages/system/0.12.0/kibana/visualization/system-Sources.json deleted file mode 100755 index b58d86fd65..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.12.0/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100755 index 97fdb33425..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.12.0/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100755 index 3fe992e28b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.12.0/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100755 index 0b4d5b0b54..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100755 index 8337095049..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 40e5998021..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index 920ea3a521..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 5353bdc134..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 4763c28e8b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1dc4eee51a..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 2dd21f0794..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b6cba2acef..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 054ff48881..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows System Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index a9023084a8..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index a5489335cf..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b3357604ea..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index b3122f32a9..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100755 index 04eba5572b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100755 index cfa442464c..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 50aa47d6d7..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100755 index a5502e1ded..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index e3028daa19..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index bbdd02df29..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index a781526538..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 40d898c6e3..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100755 index f179ea214d..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100755 index 7ff817a3ea..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.12.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 7d3a140c7b..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.12.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 409529a0d5..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bc6234f906..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index 4fbf0e757e..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 4a1a669662..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100755 index be99e9e1a7..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 29b2307260..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 27533dc793..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 16dd4ec2e5..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.12.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 0de4eae928..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8bc2dd67ee..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.12.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 8b24cd66d5..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100755 index fa97c1bb70..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.12.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100755 index de6a2d6e79..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 92704f61b4..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100755 index 9fe3b6d974..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 485b755000..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index be6236125f..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 48a9eef8da..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 86576781aa..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100755 index 4ca79e5282..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.12.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100755 index a4964edb78..0000000000 --- a/packages/system/0.12.0/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.0/manifest.yml b/packages/system/0.12.0/manifest.yml deleted file mode 100755 index e9fa55b64e..0000000000 --- a/packages/system/0.12.0/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.12.0 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.13.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics - vars: - - name: system.hostfs - type: text - title: Proc Filesystem Directory - multi: false - required: false - show_user: true - description: The proc filesystem base directory. - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false -owner: - github: elastic/integrations diff --git a/packages/system/0.12.1/changelog.yml b/packages/system/0.12.1/changelog.yml deleted file mode 100755 index c77e7453cf..0000000000 --- a/packages/system/0.12.1/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -# newer versions go on top -- version: "0.12.1" - changes: - - description: Change Splunk input to use the decode_xml_wineventlog processor. - type: enhancement - link: https://github.com/elastic/integrations/pull/ -- version: "0.12.0" - changes: - - description: Add Splunk input for application, system, and security data streams. - type: enhancement - link: https://github.com/elastic/integrations/pull/890 -- version: "0.11.3" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/874 -- version: "0.11.2" - changes: - - description: Update security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/728 -- version: "0.11.1" # unreleased - changes: - - description: remove duplicate ingest pipeline for syslog data stream - type: bugfix - link: https://github.com/elastic/integrations/pull/725 -- version: "0.0.3" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/8 diff --git a/packages/system/0.12.1/data_stream/application/agent/stream/httpjson.yml.hbs b/packages/system/0.12.1/data_stream/application/agent/stream/httpjson.yml.hbs deleted file mode 100755 index e5e84c288a..0000000000 --- a/packages/system/0.12.1/data_stream/application/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.1/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.12.1/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100755 index e207b9ffd6..0000000000 --- a/packages/system/0.12.1/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.1/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d239ad095f..0000000000 --- a/packages/system/0.12.1/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/application/fields/agent.yml b/packages/system/0.12.1/data_stream/application/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/application/fields/base-fields.yml b/packages/system/0.12.1/data_stream/application/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/application/fields/ecs.yml b/packages/system/0.12.1/data_stream/application/fields/ecs.yml deleted file mode 100755 index f283f085b0..0000000000 --- a/packages/system/0.12.1/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.12.1/data_stream/application/fields/winlog.yml b/packages/system/0.12.1/data_stream/application/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.1/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.1/data_stream/application/manifest.yml b/packages/system/0.12.1/data_stream/application/manifest.yml deleted file mode 100755 index 3d9d689e7a..0000000000 --- a/packages/system/0.12.1/data_stream/application/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' - - input: httpjson - title: Windows Application Events via Splunk Enterprise REST API - description: Collect Application Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Application\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.1/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.12.1/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.1/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.1/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.1/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7e825c58d1..0000000000 --- a/packages/system/0.12.1/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true - if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" -- grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' - - 'for user \"?%{DATA:_temp.foruser}\"?$' - - 'by user \"?%{DATA:_temp.byuser}\"?$' - if: ctx?.message != null && ctx?.message != "" -- rename: - field: _temp.byuser - target_field: user.name - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.byuid - target_field: user.id - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.foruser - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" -- rename: - field: _temp.foruser - target_field: user.effective.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name != null -- remove: - field: _temp - ignore_missing: true -- convert: - field: system.auth.sudo.user - target_field: user.effective.name - type: string - ignore_failure: true - if: ctx?.system?.auth?.sudo?.user != null -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - ignore_empty_value: true -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication","session"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - if: "ctx?.user?.name != null && ctx.user?.name != ''" -- append: - field: related.user - value: "{{user.effective.name}}" - allow_duplicates: false - if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx.source?.ip != ''" -- append: - field: related.hosts - value: "{{host.hostname}}" - allow_duplicates: false - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.1/data_stream/auth/fields/agent.yml b/packages/system/0.12.1/data_stream/auth/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/auth/fields/base-fields.yml b/packages/system/0.12.1/data_stream/auth/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/auth/fields/ecs.yml b/packages/system/0.12.1/data_stream/auth/fields/ecs.yml deleted file mode 100755 index 1bd77bc20c..0000000000 --- a/packages/system/0.12.1/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: effective.name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hosts - type: keyword - description: All the host names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.12.1/data_stream/auth/fields/fields.yml b/packages/system/0.12.1/data_stream/auth/fields/fields.yml deleted file mode 100755 index 1e7b044f02..0000000000 --- a/packages/system/0.12.1/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.12.1/data_stream/auth/manifest.yml b/packages/system/0.12.1/data_stream/auth/manifest.yml deleted file mode 100755 index 428764ece1..0000000000 --- a/packages/system/0.12.1/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.12.1/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100755 index 38d25572bd..0000000000 --- a/packages/system/0.12.1/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.1/data_stream/core/fields/agent.yml b/packages/system/0.12.1/data_stream/core/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/core/fields/base-fields.yml b/packages/system/0.12.1/data_stream/core/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/core/fields/ecs.yml b/packages/system/0.12.1/data_stream/core/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.1/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/core/fields/fields.yml b/packages/system/0.12.1/data_stream/core/fields/fields.yml deleted file mode 100755 index dab186321f..0000000000 --- a/packages/system/0.12.1/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.12.1/data_stream/core/manifest.yml b/packages/system/0.12.1/data_stream/core/manifest.yml deleted file mode 100755 index f7e0e5a825..0000000000 --- a/packages/system/0.12.1/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.12.1/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100755 index cd0de8d3d9..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/cpu/fields/agent.yml b/packages/system/0.12.1/data_stream/cpu/fields/agent.yml deleted file mode 100755 index 3643534982..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.12.1/data_stream/cpu/fields/base-fields.yml b/packages/system/0.12.1/data_stream/cpu/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/cpu/fields/ecs.yml b/packages/system/0.12.1/data_stream/cpu/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/cpu/fields/fields.yml b/packages/system/0.12.1/data_stream/cpu/fields/fields.yml deleted file mode 100755 index 9efed64c2d..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.12.1/data_stream/cpu/manifest.yml b/packages/system/0.12.1/data_stream/cpu/manifest.yml deleted file mode 100755 index 0388136d11..0000000000 --- a/packages/system/0.12.1/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.12.1/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100755 index 689369ee25..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/diskio/fields/agent.yml b/packages/system/0.12.1/data_stream/diskio/fields/agent.yml deleted file mode 100755 index 54d97ab701..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.1/data_stream/diskio/fields/base-fields.yml b/packages/system/0.12.1/data_stream/diskio/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/diskio/fields/ecs.yml b/packages/system/0.12.1/data_stream/diskio/fields/ecs.yml deleted file mode 100755 index 9a7eeefc56..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/diskio/fields/fields.yml b/packages/system/0.12.1/data_stream/diskio/fields/fields.yml deleted file mode 100755 index 01a5762c60..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.1/data_stream/diskio/manifest.yml b/packages/system/0.12.1/data_stream/diskio/manifest.yml deleted file mode 100755 index 320f708bef..0000000000 --- a/packages/system/0.12.1/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.12.1/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100755 index d21fbd9919..0000000000 --- a/packages/system/0.12.1/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.1/data_stream/filesystem/fields/agent.yml b/packages/system/0.12.1/data_stream/filesystem/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.12.1/data_stream/filesystem/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/filesystem/fields/fields.yml b/packages/system/0.12.1/data_stream/filesystem/fields/fields.yml deleted file mode 100755 index d7b44199a8..0000000000 --- a/packages/system/0.12.1/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.12.1/data_stream/filesystem/manifest.yml b/packages/system/0.12.1/data_stream/filesystem/manifest.yml deleted file mode 100755 index 2cc3f159a7..0000000000 --- a/packages/system/0.12.1/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.12.1/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100755 index fc5ebe911d..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.1/data_stream/fsstat/fields/agent.yml b/packages/system/0.12.1/data_stream/fsstat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.12.1/data_stream/fsstat/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/fsstat/fields/ecs.yml b/packages/system/0.12.1/data_stream/fsstat/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/fsstat/fields/fields.yml b/packages/system/0.12.1/data_stream/fsstat/fields/fields.yml deleted file mode 100755 index aab998a85d..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.12.1/data_stream/fsstat/manifest.yml b/packages/system/0.12.1/data_stream/fsstat/manifest.yml deleted file mode 100755 index 8e63d20df1..0000000000 --- a/packages/system/0.12.1/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.12.1/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100755 index b1403687c4..0000000000 --- a/packages/system/0.12.1/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/load/fields/agent.yml b/packages/system/0.12.1/data_stream/load/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/load/fields/base-fields.yml b/packages/system/0.12.1/data_stream/load/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/load/fields/ecs.yml b/packages/system/0.12.1/data_stream/load/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.1/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/load/fields/fields.yml b/packages/system/0.12.1/data_stream/load/fields/fields.yml deleted file mode 100755 index ae0130faef..0000000000 --- a/packages/system/0.12.1/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.12.1/data_stream/load/manifest.yml b/packages/system/0.12.1/data_stream/load/manifest.yml deleted file mode 100755 index 486e57b779..0000000000 --- a/packages/system/0.12.1/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.12.1/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100755 index 0d49de061f..0000000000 --- a/packages/system/0.12.1/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/memory/fields/agent.yml b/packages/system/0.12.1/data_stream/memory/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/memory/fields/base-fields.yml b/packages/system/0.12.1/data_stream/memory/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/memory/fields/ecs.yml b/packages/system/0.12.1/data_stream/memory/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.1/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/memory/fields/fields.yml b/packages/system/0.12.1/data_stream/memory/fields/fields.yml deleted file mode 100755 index 55488d61eb..0000000000 --- a/packages/system/0.12.1/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.12.1/data_stream/memory/manifest.yml b/packages/system/0.12.1/data_stream/memory/manifest.yml deleted file mode 100755 index aeb17b0bd0..0000000000 --- a/packages/system/0.12.1/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.12.1/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100755 index a3aeb928ae..0000000000 --- a/packages/system/0.12.1/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.1/data_stream/network/fields/agent.yml b/packages/system/0.12.1/data_stream/network/fields/agent.yml deleted file mode 100755 index e5afe01139..0000000000 --- a/packages/system/0.12.1/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.12.1/data_stream/network/fields/base-fields.yml b/packages/system/0.12.1/data_stream/network/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/network/fields/ecs.yml b/packages/system/0.12.1/data_stream/network/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.1/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.1/data_stream/network/fields/fields.yml b/packages/system/0.12.1/data_stream/network/fields/fields.yml deleted file mode 100755 index a309d88ba0..0000000000 --- a/packages/system/0.12.1/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.12.1/data_stream/network/manifest.yml b/packages/system/0.12.1/data_stream/network/manifest.yml deleted file mode 100755 index b9878b3e64..0000000000 --- a/packages/system/0.12.1/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.12.1/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100755 index ea51aa86f4..0000000000 --- a/packages/system/0.12.1/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/process/fields/agent.yml b/packages/system/0.12.1/data_stream/process/fields/agent.yml deleted file mode 100755 index d5df59895a..0000000000 --- a/packages/system/0.12.1/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.12.1/data_stream/process/fields/base-fields.yml b/packages/system/0.12.1/data_stream/process/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/process/fields/ecs.yml b/packages/system/0.12.1/data_stream/process/fields/ecs.yml deleted file mode 100755 index 7e409c1793..0000000000 --- a/packages/system/0.12.1/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.1/data_stream/process/fields/fields.yml b/packages/system/0.12.1/data_stream/process/fields/fields.yml deleted file mode 100755 index 4dc7b1aab2..0000000000 --- a/packages/system/0.12.1/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.12.1/data_stream/process/manifest.yml b/packages/system/0.12.1/data_stream/process/manifest.yml deleted file mode 100755 index fd982eb931..0000000000 --- a/packages/system/0.12.1/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.12.1/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 298d89ea60..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/process_summary/fields/agent.yml b/packages/system/0.12.1/data_stream/process_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.12.1/data_stream/process_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/process_summary/fields/ecs.yml b/packages/system/0.12.1/data_stream/process_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.1/data_stream/process_summary/fields/fields.yml b/packages/system/0.12.1/data_stream/process_summary/fields/fields.yml deleted file mode 100755 index bc9254a2ae..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.12.1/data_stream/process_summary/manifest.yml b/packages/system/0.12.1/data_stream/process_summary/manifest.yml deleted file mode 100755 index cd89d30b94..0000000000 --- a/packages/system/0.12.1/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.12.1/data_stream/security/agent/stream/httpjson.yml.hbs b/packages/system/0.12.1/data_stream/security/agent/stream/httpjson.yml.hbs deleted file mode 100755 index c115d769b3..0000000000 --- a/packages/system/0.12.1/data_stream/security/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,2620 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.12.1/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100755 index 7a08288aa0..0000000000 --- a/packages/system/0.12.1/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2537 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } diff --git a/packages/system/0.12.1/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.1/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7675142444..0000000000 --- a/packages/system/0.12.1/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.12.1/data_stream/security/fields/agent.yml b/packages/system/0.12.1/data_stream/security/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/security/fields/base-fields.yml b/packages/system/0.12.1/data_stream/security/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/system/0.12.1/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/security/fields/ecs.yml b/packages/system/0.12.1/data_stream/security/fields/ecs.yml deleted file mode 100755 index 2904a66ee3..0000000000 --- a/packages/system/0.12.1/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,244 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - example: ssh - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/system/0.12.1/data_stream/security/fields/fields.yml b/packages/system/0.12.1/data_stream/security/fields/fields.yml deleted file mode 100755 index 48deb4f52a..0000000000 --- a/packages/system/0.12.1/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - diff --git a/packages/system/0.12.1/data_stream/security/fields/winlog.yml b/packages/system/0.12.1/data_stream/security/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/system/0.12.1/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.1/data_stream/security/manifest.yml b/packages/system/0.12.1/data_stream/security/manifest.yml deleted file mode 100755 index c2de21a474..0000000000 --- a/packages/system/0.12.1/data_stream/security/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Security channel' - - input: httpjson - title: Windows Security Events via Splunk Enterprise REST API - description: Collect Security Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Security\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.1/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 98643a9111..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/socket_summary/fields/agent.yml b/packages/system/0.12.1/data_stream/socket_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.12.1/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.12.1/data_stream/socket_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.1/data_stream/socket_summary/fields/fields.yml b/packages/system/0.12.1/data_stream/socket_summary/fields/fields.yml deleted file mode 100755 index fca58be0c8..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.12.1/data_stream/socket_summary/manifest.yml b/packages/system/0.12.1/data_stream/socket_summary/manifest.yml deleted file mode 100755 index 119109fe70..0000000000 --- a/packages/system/0.12.1/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.12.1/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.12.1/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.1/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.1/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b71c6624a7..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.1/data_stream/syslog/fields/agent.yml b/packages/system/0.12.1/data_stream/syslog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/syslog/fields/base-fields.yml b/packages/system/0.12.1/data_stream/syslog/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/syslog/fields/ecs.yml b/packages/system/0.12.1/data_stream/syslog/fields/ecs.yml deleted file mode 100755 index 6177e5856f..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.12.1/data_stream/syslog/fields/fields.yml b/packages/system/0.12.1/data_stream/syslog/fields/fields.yml deleted file mode 100755 index f933686930..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.12.1/data_stream/syslog/manifest.yml b/packages/system/0.12.1/data_stream/syslog/manifest.yml deleted file mode 100755 index 1aa1fe9412..0000000000 --- a/packages/system/0.12.1/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.12.1/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/system/0.12.1/data_stream/system/agent/stream/httpjson.yml.hbs deleted file mode 100755 index e5e84c288a..0000000000 --- a/packages/system/0.12.1/data_stream/system/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.1/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.12.1/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100755 index 47df93c51d..0000000000 --- a/packages/system/0.12.1/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.1/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9f7e885a2f..0000000000 --- a/packages/system/0.12.1/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/system/fields/agent.yml b/packages/system/0.12.1/data_stream/system/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/system/fields/base-fields.yml b/packages/system/0.12.1/data_stream/system/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/system/fields/ecs.yml b/packages/system/0.12.1/data_stream/system/fields/ecs.yml deleted file mode 100755 index e1817f5ca6..0000000000 --- a/packages/system/0.12.1/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.12.1/data_stream/system/fields/winlog.yml b/packages/system/0.12.1/data_stream/system/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.1/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.1/data_stream/system/manifest.yml b/packages/system/0.12.1/data_stream/system/manifest.yml deleted file mode 100755 index 6bc5b0c3e2..0000000000 --- a/packages/system/0.12.1/data_stream/system/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' - - input: httpjson - title: Windows System Events via Splunk Enterprise REST API - description: Collect System Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:System\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.1/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.12.1/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100755 index 810f6a1f3e..0000000000 --- a/packages/system/0.12.1/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.1/data_stream/uptime/fields/agent.yml b/packages/system/0.12.1/data_stream/uptime/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.1/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.1/data_stream/uptime/fields/base-fields.yml b/packages/system/0.12.1/data_stream/uptime/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.1/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.1/data_stream/uptime/fields/fields.yml b/packages/system/0.12.1/data_stream/uptime/fields/fields.yml deleted file mode 100755 index 7c61a13721..0000000000 --- a/packages/system/0.12.1/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.12.1/data_stream/uptime/manifest.yml b/packages/system/0.12.1/data_stream/uptime/manifest.yml deleted file mode 100755 index d1fc1f1579..0000000000 --- a/packages/system/0.12.1/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.12.1/docs/README.md b/packages/system/0.12.1/docs/README.md deleted file mode 100755 index b4827024bb..0000000000 --- a/packages/system/0.12.1/docs/README.md +++ /dev/null @@ -1,1650 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -In addition, when running inside a container the proc filesystem directory of the host -should be set using `system.hostfs` setting to `/hostfs`. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Logs - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Auth - -The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| related.hosts | All the host names seen on your event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | -| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | -| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | -| system.auth.ssh.signature | The signature of the client public key. | keyword | -| system.auth.sudo.command | The command executed via sudo. | keyword | -| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | -| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | -| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | -| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | -| system.auth.useradd.home | The home folder for the new user. | keyword | -| system.auth.useradd.shell | The default shell for the new user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| version | Operating system version as a raw string. | keyword | - - -### syslog - -The `syslog` dataset provides system logs on linux and MacOS. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| version | Operating system version as a raw string. | keyword | - - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - diff --git a/packages/system/0.12.1/img/kibana-system.png b/packages/system/0.12.1/img/kibana-system.png deleted file mode 100755 index 8741a56624..0000000000 Binary files a/packages/system/0.12.1/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.12.1/img/metricbeat_system_dashboard.png b/packages/system/0.12.1/img/metricbeat_system_dashboard.png deleted file mode 100755 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.12.1/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.12.1/img/system.svg b/packages/system/0.12.1/img/system.svg deleted file mode 100755 index 0aba96275e..0000000000 --- a/packages/system/0.12.1/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index 2af90db405..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 7da98e0bb3..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.1/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 8814d936cf..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.1/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 7c1b819642..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.1/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 34f78d0da6..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index d2a5ae3be2..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.12.1/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100755 index 4dba98af12..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 81fed1fd24..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.12.1/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100755 index e853fd4613..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.12.1/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100755 index 286c979eb2..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.12.1/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100755 index 2299940474..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[System] Windows Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index a07696c194..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100755 index 31718aaa5d..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index b5991808e8..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b53893ec0b..0000000000 --- a/packages/system/0.12.1/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.1/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 855283756c..0000000000 --- a/packages/system/0.12.1/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100755 index c8b43b2e5e..0000000000 --- a/packages/system/0.12.1/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.12.1/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100755 index abdd218801..0000000000 --- a/packages/system/0.12.1/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.1/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 7da0171a43..0000000000 --- a/packages/system/0.12.1/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100755 index 1bd6621baa..0000000000 --- a/packages/system/0.12.1/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100755 index 6b0a39627c..0000000000 --- a/packages/system/0.12.1/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.1/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index ae1484339a..0000000000 --- a/packages/system/0.12.1/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100755 index daa2105b0b..0000000000 --- a/packages/system/0.12.1/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-Syslog-system-logs.json b/packages/system/0.12.1/kibana/search/system-Syslog-system-logs.json deleted file mode 100755 index 6a2ef982d2..0000000000 --- a/packages/system/0.12.1/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.1/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index e64a483853..0000000000 --- a/packages/system/0.12.1/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100755 index 71bb7ef90e..0000000000 --- a/packages/system/0.12.1/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.1/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index e05ac92d9b..0000000000 --- a/packages/system/0.12.1/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 990831f624..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index be217ccae6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index ce6162e247..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 40175102f6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 5976994a0e..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100755 index 4f9e00daa9..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 72d6ab928a..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 81a2dbc572..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.1/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8c5d8b0366..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index af34020d93..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index f297060faf..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100755 index ed999cad48..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.12.1/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100755 index dfaa630e4a..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.12.1/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 1c420ec4c8..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100755 index 25769759b6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 8e66316843..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 484d0a4e46..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100755 index a9120ab5fe..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 856a3b952b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1a69934c0e..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.1/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 2ca5154a30..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 5f69654d68..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 642657604a..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 1665d338ef..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 75186de954..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.12.1/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100755 index 464f6c729c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 38ebd23ecd..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.1/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index f155739938..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.1/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 0ad2f78f65..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.12.1/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 89d9b0fae2..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.12.1/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100755 index c9e1455d68..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.12.1/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100755 index 467738abc7..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index bb1b70ae03..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100755 index 4a1aa9d3c1..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 17ebedc7ae..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100755 index b23bd8e0c2..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 87a436f81d..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100755 index cd04472792..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 4bdb84e270..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.1/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index efa1f752dd..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.1/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bd07f29ec0..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100755 index 65591c57a4..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index d8ddc0b1ed..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 453faebe12..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.12.1/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100755 index e5419418c6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 75aeb12e0d..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.1/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 112d3d6530..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 6807ba0f16..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 45c348d026..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b34bc8bc80..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.1/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index bc04c92dd4..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100755 index acd93693a8..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 4e4497d0a4..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100755 index 13589095b5..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 520406bfb6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.12.1/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100755 index 22a26c29d4..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100755 index ea065ce6e3..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index da850bf332..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index 2e5508620f..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.12.1/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100755 index c119c156ea..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index 9f8332e30b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.1/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index e89f3a3690..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index de0df1178e..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100755 index deaa80ec24..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.12.1/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100755 index 172b24f43c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.1/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index dc7c7ab1d6..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 7a45abc403..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100755 index ae48f968a3..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 09e960ac14..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 0849027a3c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.1/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index ef50f8a93f..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 2afa9ee825..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.12.1/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 172bcb8f2c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index ac78018683..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index a227b7f0c3..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.1/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index 66e166e22e..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index aa6560812c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index d81092dc2b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Event-Levels.json b/packages/system/0.12.1/kibana/visualization/system-Event-Levels.json deleted file mode 100755 index 80ebd07044..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Navigation.json b/packages/system/0.12.1/kibana/visualization/system-Navigation.json deleted file mode 100755 index d996678974..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.12.1/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100755 index cb42f617bc..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Number-of-Events.json b/packages/system/0.12.1/kibana/visualization/system-Number-of-Events.json deleted file mode 100755 index 34ecef7340..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Sources.json b/packages/system/0.12.1/kibana/visualization/system-Sources.json deleted file mode 100755 index b58d86fd65..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.12.1/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100755 index 97fdb33425..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.12.1/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100755 index 3fe992e28b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.12.1/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100755 index 0b4d5b0b54..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100755 index 8337095049..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 40e5998021..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index 920ea3a521..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.1/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 5353bdc134..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.1/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 4763c28e8b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1dc4eee51a..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 2dd21f0794..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b6cba2acef..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 054ff48881..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows System Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index a9023084a8..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index a5489335cf..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b3357604ea..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index b3122f32a9..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100755 index 04eba5572b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100755 index cfa442464c..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 50aa47d6d7..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100755 index a5502e1ded..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index e3028daa19..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.1/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index bbdd02df29..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.1/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index a781526538..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 40d898c6e3..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100755 index f179ea214d..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100755 index 7ff817a3ea..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.12.1/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 7d3a140c7b..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.12.1/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 409529a0d5..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.1/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bc6234f906..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index 4fbf0e757e..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.1/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 4a1a669662..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100755 index be99e9e1a7..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 29b2307260..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 27533dc793..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.1/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 16dd4ec2e5..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.12.1/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 0de4eae928..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.1/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8bc2dd67ee..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.12.1/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 8b24cd66d5..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100755 index fa97c1bb70..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.12.1/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100755 index de6a2d6e79..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.1/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 92704f61b4..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100755 index 9fe3b6d974..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.1/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 485b755000..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index be6236125f..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 48a9eef8da..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.1/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 86576781aa..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100755 index 4ca79e5282..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.12.1/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100755 index a4964edb78..0000000000 --- a/packages/system/0.12.1/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.1/manifest.yml b/packages/system/0.12.1/manifest.yml deleted file mode 100755 index f5365aecef..0000000000 --- a/packages/system/0.12.1/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.12.1 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.13.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics - vars: - - name: system.hostfs - type: text - title: Proc Filesystem Directory - multi: false - required: false - show_user: true - description: The proc filesystem base directory. - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false -owner: - github: elastic/integrations diff --git a/packages/system/0.12.2/changelog.yml b/packages/system/0.12.2/changelog.yml deleted file mode 100755 index d75fb09011..0000000000 --- a/packages/system/0.12.2/changelog.yml +++ /dev/null @@ -1,39 +0,0 @@ -# newer versions go on top -- version: "0.12.2" - changes: - - description: Add event.code mappings - type: bugfix - link: https://github.com/elastic/integrations/pull/932 -- version: "0.12.1" - changes: - - description: Change Splunk input to use the decode_xml_wineventlog processor. - type: enhancement - link: https://github.com/elastic/integrations/pull/924 -- version: "0.12.0" - changes: - - description: Add Splunk input for application, system, and security data streams. - type: enhancement - link: https://github.com/elastic/integrations/pull/890 -- version: "0.11.3" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/874 -- version: "0.11.2" - changes: - - description: Update security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/728 -- version: "0.11.1" # unreleased - changes: - - description: remove duplicate ingest pipeline for syslog data stream - type: bugfix - link: https://github.com/elastic/integrations/pull/725 -- version: "0.0.3" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/8 diff --git a/packages/system/0.12.2/data_stream/application/agent/stream/httpjson.yml.hbs b/packages/system/0.12.2/data_stream/application/agent/stream/httpjson.yml.hbs deleted file mode 100755 index e5e84c288a..0000000000 --- a/packages/system/0.12.2/data_stream/application/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.2/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/0.12.2/data_stream/application/agent/stream/winlog.yml.hbs deleted file mode 100755 index e207b9ffd6..0000000000 --- a/packages/system/0.12.2/data_stream/application/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Application -condition: ${host.platform} == 'windows' -ignore_older: 72h \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d239ad095f..0000000000 --- a/packages/system/0.12.2/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - description: Pipeline for Windows Application Event Logs - processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/application/fields/agent.yml b/packages/system/0.12.2/data_stream/application/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/application/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/application/fields/base-fields.yml b/packages/system/0.12.2/data_stream/application/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/application/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/application/fields/ecs.yml b/packages/system/0.12.2/data_stream/application/fields/ecs.yml deleted file mode 100755 index f283f085b0..0000000000 --- a/packages/system/0.12.2/data_stream/application/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Time when the event was first read by an agent or by your pipeline. - example: '2016-05-23T08:05:34.857Z' - name: event.created - type: date -- description: Timestamp when an event arrived in the central data store. - example: '2016-05-23T08:05:35.101Z' - name: event.ingested - type: date -- description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - name: event.original - type: keyword -- description: Error message. - name: error.message - type: text -- description: Identification code for this event. - example: 4648 - ignore_above: 1024 - name: event.code - type: keyword diff --git a/packages/system/0.12.2/data_stream/application/fields/winlog.yml b/packages/system/0.12.2/data_stream/application/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.2/data_stream/application/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.2/data_stream/application/manifest.yml b/packages/system/0.12.2/data_stream/application/manifest.yml deleted file mode 100755 index 3d9d689e7a..0000000000 --- a/packages/system/0.12.2/data_stream/application/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Application Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Application - description: 'Collect Windows application logs' - - input: httpjson - title: Windows Application Events via Splunk Enterprise REST API - description: Collect Application Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Application\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.2/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.12.2/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.2/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7e825c58d1..0000000000 --- a/packages/system/0.12.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true - if: ctx?.system?.auth?.message != null && ctx?.system?.auth?.message != "" -- grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - 'for user \"?%{DATA:_temp.foruser}\"? by \"?%{DATA:_temp.byuser}\"?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' - - 'for user \"?%{DATA:_temp.foruser}\"?$' - - 'by user \"?%{DATA:_temp.byuser}\"?$' - if: ctx?.message != null && ctx?.message != "" -- rename: - field: _temp.byuser - target_field: user.name - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.byuid - target_field: user.id - ignore_missing: true - ignore_failure: true -- rename: - field: _temp.foruser - target_field: user.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" -- rename: - field: _temp.foruser - target_field: user.effective.name - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name != null -- remove: - field: _temp - ignore_missing: true -- convert: - field: system.auth.sudo.user - target_field: user.effective.name - type: string - ignore_failure: true - if: ctx?.system?.auth?.sudo?.user != null -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - ignore_empty_value: true -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication","session"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - if: "ctx?.user?.name != null && ctx.user?.name != ''" -- append: - field: related.user - value: "{{user.effective.name}}" - allow_duplicates: false - if: "ctx?.user?.effective?.name != null && ctx.user?.effective?.name != ''" -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx.source?.ip != ''" -- append: - field: related.hosts - value: "{{host.hostname}}" - allow_duplicates: false - if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.2/data_stream/auth/fields/agent.yml b/packages/system/0.12.2/data_stream/auth/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/auth/fields/base-fields.yml b/packages/system/0.12.2/data_stream/auth/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/auth/fields/ecs.yml b/packages/system/0.12.2/data_stream/auth/fields/ecs.yml deleted file mode 100755 index 2ddb39bf67..0000000000 --- a/packages/system/0.12.2/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: effective.name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: error.message - type: text - description: Error message. -- name: related.ip - type: ip - description: All of the IPs seen on your event. -- name: related.user - type: keyword - description: All the user names seen on your event. -- name: related.hosts - type: keyword - description: All the host names seen on your event. -- name: source.as.number - type: long - description: Unique number allocated to the autonomous system. -- name: source.as.organization.name - type: keyword - description: Organization name. -- name: source.geo.country_name - type: keyword - description: Country name. diff --git a/packages/system/0.12.2/data_stream/auth/fields/fields.yml b/packages/system/0.12.2/data_stream/auth/fields/fields.yml deleted file mode 100755 index 1e7b044f02..0000000000 --- a/packages/system/0.12.2/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.12.2/data_stream/auth/manifest.yml b/packages/system/0.12.2/data_stream/auth/manifest.yml deleted file mode 100755 index 428764ece1..0000000000 --- a/packages/system/0.12.2/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.12.2/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100755 index 38d25572bd..0000000000 --- a/packages/system/0.12.2/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.2/data_stream/core/fields/agent.yml b/packages/system/0.12.2/data_stream/core/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/core/fields/base-fields.yml b/packages/system/0.12.2/data_stream/core/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/core/fields/ecs.yml b/packages/system/0.12.2/data_stream/core/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.2/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/core/fields/fields.yml b/packages/system/0.12.2/data_stream/core/fields/fields.yml deleted file mode 100755 index dab186321f..0000000000 --- a/packages/system/0.12.2/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.12.2/data_stream/core/manifest.yml b/packages/system/0.12.2/data_stream/core/manifest.yml deleted file mode 100755 index f7e0e5a825..0000000000 --- a/packages/system/0.12.2/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.12.2/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100755 index cd0de8d3d9..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/cpu/fields/agent.yml b/packages/system/0.12.2/data_stream/cpu/fields/agent.yml deleted file mode 100755 index 3643534982..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/0.12.2/data_stream/cpu/fields/base-fields.yml b/packages/system/0.12.2/data_stream/cpu/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/cpu/fields/ecs.yml b/packages/system/0.12.2/data_stream/cpu/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/cpu/fields/fields.yml b/packages/system/0.12.2/data_stream/cpu/fields/fields.yml deleted file mode 100755 index 9efed64c2d..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.12.2/data_stream/cpu/manifest.yml b/packages/system/0.12.2/data_stream/cpu/manifest.yml deleted file mode 100755 index 0388136d11..0000000000 --- a/packages/system/0.12.2/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.12.2/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100755 index 689369ee25..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/diskio/fields/agent.yml b/packages/system/0.12.2/data_stream/diskio/fields/agent.yml deleted file mode 100755 index 54d97ab701..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,209 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.2/data_stream/diskio/fields/base-fields.yml b/packages/system/0.12.2/data_stream/diskio/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/diskio/fields/ecs.yml b/packages/system/0.12.2/data_stream/diskio/fields/ecs.yml deleted file mode 100755 index 9a7eeefc56..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/diskio/fields/fields.yml b/packages/system/0.12.2/data_stream/diskio/fields/fields.yml deleted file mode 100755 index 01a5762c60..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.12.2/data_stream/diskio/manifest.yml b/packages/system/0.12.2/data_stream/diskio/manifest.yml deleted file mode 100755 index 320f708bef..0000000000 --- a/packages/system/0.12.2/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.12.2/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100755 index d21fbd9919..0000000000 --- a/packages/system/0.12.2/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.2/data_stream/filesystem/fields/agent.yml b/packages/system/0.12.2/data_stream/filesystem/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.12.2/data_stream/filesystem/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/filesystem/fields/fields.yml b/packages/system/0.12.2/data_stream/filesystem/fields/fields.yml deleted file mode 100755 index d7b44199a8..0000000000 --- a/packages/system/0.12.2/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.12.2/data_stream/filesystem/manifest.yml b/packages/system/0.12.2/data_stream/filesystem/manifest.yml deleted file mode 100755 index 2cc3f159a7..0000000000 --- a/packages/system/0.12.2/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.12.2/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100755 index fc5ebe911d..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.12.2/data_stream/fsstat/fields/agent.yml b/packages/system/0.12.2/data_stream/fsstat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.12.2/data_stream/fsstat/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/fsstat/fields/ecs.yml b/packages/system/0.12.2/data_stream/fsstat/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/fsstat/fields/fields.yml b/packages/system/0.12.2/data_stream/fsstat/fields/fields.yml deleted file mode 100755 index aab998a85d..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.12.2/data_stream/fsstat/manifest.yml b/packages/system/0.12.2/data_stream/fsstat/manifest.yml deleted file mode 100755 index 8e63d20df1..0000000000 --- a/packages/system/0.12.2/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.12.2/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100755 index b1403687c4..0000000000 --- a/packages/system/0.12.2/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["load"] -condition: ${host.platform} != 'windows' -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/load/fields/agent.yml b/packages/system/0.12.2/data_stream/load/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/load/fields/base-fields.yml b/packages/system/0.12.2/data_stream/load/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/load/fields/ecs.yml b/packages/system/0.12.2/data_stream/load/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.2/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/load/fields/fields.yml b/packages/system/0.12.2/data_stream/load/fields/fields.yml deleted file mode 100755 index ae0130faef..0000000000 --- a/packages/system/0.12.2/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.12.2/data_stream/load/manifest.yml b/packages/system/0.12.2/data_stream/load/manifest.yml deleted file mode 100755 index 486e57b779..0000000000 --- a/packages/system/0.12.2/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.12.2/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100755 index 0d49de061f..0000000000 --- a/packages/system/0.12.2/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/memory/fields/agent.yml b/packages/system/0.12.2/data_stream/memory/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/memory/fields/base-fields.yml b/packages/system/0.12.2/data_stream/memory/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/memory/fields/ecs.yml b/packages/system/0.12.2/data_stream/memory/fields/ecs.yml deleted file mode 100755 index e76a78fa1d..0000000000 --- a/packages/system/0.12.2/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/memory/fields/fields.yml b/packages/system/0.12.2/data_stream/memory/fields/fields.yml deleted file mode 100755 index 55488d61eb..0000000000 --- a/packages/system/0.12.2/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.12.2/data_stream/memory/manifest.yml b/packages/system/0.12.2/data_stream/memory/manifest.yml deleted file mode 100755 index aeb17b0bd0..0000000000 --- a/packages/system/0.12.2/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.12.2/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100755 index a3aeb928ae..0000000000 --- a/packages/system/0.12.2/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.12.2/data_stream/network/fields/agent.yml b/packages/system/0.12.2/data_stream/network/fields/agent.yml deleted file mode 100755 index e5afe01139..0000000000 --- a/packages/system/0.12.2/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,220 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/0.12.2/data_stream/network/fields/base-fields.yml b/packages/system/0.12.2/data_stream/network/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/network/fields/ecs.yml b/packages/system/0.12.2/data_stream/network/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.2/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.2/data_stream/network/fields/fields.yml b/packages/system/0.12.2/data_stream/network/fields/fields.yml deleted file mode 100755 index a309d88ba0..0000000000 --- a/packages/system/0.12.2/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.12.2/data_stream/network/manifest.yml b/packages/system/0.12.2/data_stream/network/manifest.yml deleted file mode 100755 index b9878b3e64..0000000000 --- a/packages/system/0.12.2/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.12.2/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100755 index ea51aa86f4..0000000000 --- a/packages/system/0.12.2/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/process/fields/agent.yml b/packages/system/0.12.2/data_stream/process/fields/agent.yml deleted file mode 100755 index d5df59895a..0000000000 --- a/packages/system/0.12.2/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,226 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/0.12.2/data_stream/process/fields/base-fields.yml b/packages/system/0.12.2/data_stream/process/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/process/fields/ecs.yml b/packages/system/0.12.2/data_stream/process/fields/ecs.yml deleted file mode 100755 index 7e409c1793..0000000000 --- a/packages/system/0.12.2/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.12.2/data_stream/process/fields/fields.yml b/packages/system/0.12.2/data_stream/process/fields/fields.yml deleted file mode 100755 index 4dc7b1aab2..0000000000 --- a/packages/system/0.12.2/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.12.2/data_stream/process/manifest.yml b/packages/system/0.12.2/data_stream/process/manifest.yml deleted file mode 100755 index fd982eb931..0000000000 --- a/packages/system/0.12.2/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.12.2/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 298d89ea60..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/process_summary/fields/agent.yml b/packages/system/0.12.2/data_stream/process_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.12.2/data_stream/process_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/process_summary/fields/ecs.yml b/packages/system/0.12.2/data_stream/process_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.2/data_stream/process_summary/fields/fields.yml b/packages/system/0.12.2/data_stream/process_summary/fields/fields.yml deleted file mode 100755 index bc9254a2ae..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.12.2/data_stream/process_summary/manifest.yml b/packages/system/0.12.2/data_stream/process_summary/manifest.yml deleted file mode 100755 index cd89d30b94..0000000000 --- a/packages/system/0.12.2/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.12.2/data_stream/security/agent/stream/httpjson.yml.hbs b/packages/system/0.12.2/data_stream/security/agent/stream/httpjson.yml.hbs deleted file mode 100755 index c115d769b3..0000000000 --- a/packages/system/0.12.2/data_stream/security/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,2620 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/0.12.2/data_stream/security/agent/stream/winlog.yml.hbs deleted file mode 100755 index 7a08288aa0..0000000000 --- a/packages/system/0.12.2/data_stream/security/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2537 +0,0 @@ -name: Security -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } diff --git a/packages/system/0.12.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7675142444..0000000000 --- a/packages/system/0.12.2/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Security events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/system/0.12.2/data_stream/security/fields/agent.yml b/packages/system/0.12.2/data_stream/security/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/security/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/security/fields/base-fields.yml b/packages/system/0.12.2/data_stream/security/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/system/0.12.2/data_stream/security/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/security/fields/ecs.yml b/packages/system/0.12.2/data_stream/security/fields/ecs.yml deleted file mode 100755 index 2904a66ee3..0000000000 --- a/packages/system/0.12.2/data_stream/security/fields/ecs.yml +++ /dev/null @@ -1,244 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - example: ssh - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - level: core - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/system/0.12.2/data_stream/security/fields/fields.yml b/packages/system/0.12.2/data_stream/security/fields/fields.yml deleted file mode 100755 index 48deb4f52a..0000000000 --- a/packages/system/0.12.2/data_stream/security/fields/fields.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - diff --git a/packages/system/0.12.2/data_stream/security/fields/winlog.yml b/packages/system/0.12.2/data_stream/security/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/system/0.12.2/data_stream/security/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.2/data_stream/security/manifest.yml b/packages/system/0.12.2/data_stream/security/manifest.yml deleted file mode 100755 index c2de21a474..0000000000 --- a/packages/system/0.12.2/data_stream/security/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Security logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Security - description: 'Security channel' - - input: httpjson - title: Windows Security Events via Splunk Enterprise REST API - description: Collect Security Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Security\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.2/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100755 index 98643a9111..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} -{{#if system.hostfs}} -system.hostfs: {{system.hostfs}} -{{/if}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/socket_summary/fields/agent.yml b/packages/system/0.12.2/data_stream/socket_summary/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.12.2/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.12.2/data_stream/socket_summary/fields/ecs.yml deleted file mode 100755 index 9f3d04118b..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.12.2/data_stream/socket_summary/fields/fields.yml b/packages/system/0.12.2/data_stream/socket_summary/fields/fields.yml deleted file mode 100755 index fca58be0c8..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.12.2/data_stream/socket_summary/manifest.yml b/packages/system/0.12.2/data_stream/socket_summary/manifest.yml deleted file mode 100755 index 119109fe70..0000000000 --- a/packages/system/0.12.2/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.12.2/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.12.2/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100755 index 09e5d53429..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/system/0.12.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b71c6624a7..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.12.2/data_stream/syslog/fields/agent.yml b/packages/system/0.12.2/data_stream/syslog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/syslog/fields/base-fields.yml b/packages/system/0.12.2/data_stream/syslog/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/syslog/fields/ecs.yml b/packages/system/0.12.2/data_stream/syslog/fields/ecs.yml deleted file mode 100755 index 98813a326e..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' diff --git a/packages/system/0.12.2/data_stream/syslog/fields/fields.yml b/packages/system/0.12.2/data_stream/syslog/fields/fields.yml deleted file mode 100755 index f933686930..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.12.2/data_stream/syslog/manifest.yml b/packages/system/0.12.2/data_stream/syslog/manifest.yml deleted file mode 100755 index 1aa1fe9412..0000000000 --- a/packages/system/0.12.2/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.12.2/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/system/0.12.2/data_stream/system/agent/stream/httpjson.yml.hbs deleted file mode 100755 index e5e84c288a..0000000000 --- a/packages/system/0.12.2/data_stream/system/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 diff --git a/packages/system/0.12.2/data_stream/system/agent/stream/winlog.yml.hbs b/packages/system/0.12.2/data_stream/system/agent/stream/winlog.yml.hbs deleted file mode 100755 index 47df93c51d..0000000000 --- a/packages/system/0.12.2/data_stream/system/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: System -condition: ${host.platform} == 'windows' \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.12.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9f7e885a2f..0000000000 --- a/packages/system/0.12.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows System Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/system/fields/agent.yml b/packages/system/0.12.2/data_stream/system/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/system/fields/base-fields.yml b/packages/system/0.12.2/data_stream/system/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/system/fields/ecs.yml b/packages/system/0.12.2/data_stream/system/fields/ecs.yml deleted file mode 100755 index 7d0ffb54d4..0000000000 --- a/packages/system/0.12.2/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,54 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' - - name: original - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - ignore_above: 1024 - type: keyword -- description: Error message. - name: error.message - type: text diff --git a/packages/system/0.12.2/data_stream/system/fields/winlog.yml b/packages/system/0.12.2/data_stream/system/fields/winlog.yml deleted file mode 100755 index adca1bbdd0..0000000000 --- a/packages/system/0.12.2/data_stream/system/fields/winlog.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/system/0.12.2/data_stream/system/manifest.yml b/packages/system/0.12.2/data_stream/system/manifest.yml deleted file mode 100755 index 6bc5b0c3e2..0000000000 --- a/packages/system/0.12.2/data_stream/system/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows System Events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: System - description: 'Collect Windows system logs' - - input: httpjson - title: Windows System Events via Splunk Enterprise REST API - description: Collect System Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:System\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/system/0.12.2/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.12.2/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100755 index 810f6a1f3e..0000000000 --- a/packages/system/0.12.2/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.12.2/data_stream/uptime/fields/agent.yml b/packages/system/0.12.2/data_stream/uptime/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/system/0.12.2/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.12.2/data_stream/uptime/fields/base-fields.yml b/packages/system/0.12.2/data_stream/uptime/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/system/0.12.2/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.12.2/data_stream/uptime/fields/fields.yml b/packages/system/0.12.2/data_stream/uptime/fields/fields.yml deleted file mode 100755 index 7c61a13721..0000000000 --- a/packages/system/0.12.2/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.12.2/data_stream/uptime/manifest.yml b/packages/system/0.12.2/data_stream/uptime/manifest.yml deleted file mode 100755 index d1fc1f1579..0000000000 --- a/packages/system/0.12.2/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.12.2/docs/README.md b/packages/system/0.12.2/docs/README.md deleted file mode 100755 index 850ff614c6..0000000000 --- a/packages/system/0.12.2/docs/README.md +++ /dev/null @@ -1,1681 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -In addition, when running inside a container the proc filesystem directory of the host -should be set using `system.hostfs` setting to `/hostfs`. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Logs - -### Application - -The Windows `application` dataset provides events from the Windows -`Application` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.code | Identification code for this event. | keyword | -| event.created | Time when the event was first read by an agent or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.original | Raw text message of entire event. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### System - -The Windows `system` dataset provides events from the Windows `System` -event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.original | | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Security - -The Windows `security` dataset provides events from the Windows -`Security` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Auth - -The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| related.hosts | All the host names seen on your event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. | long | -| source.as.organization.name | Organization name. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip | -| system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword | -| system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword | -| system.auth.ssh.signature | The signature of the client public key. | keyword | -| system.auth.sudo.command | The command executed via sudo. | keyword | -| system.auth.sudo.error | The error message in case the sudo command failed. | keyword | -| system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword | -| system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword | -| system.auth.sudo.user | The target user to which the sudo command is switching. | keyword | -| system.auth.useradd.home | The home folder for the new user. | keyword | -| system.auth.useradd.shell | The default shell for the new user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| version | Operating system version as a raw string. | keyword | - - -### syslog - -The `syslog` dataset provides system logs on linux and MacOS. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the directory the group is a member of. | keyword | -| host.hostname | Hostname of the host. | keyword | -| host.id | Unique host id. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| version | Operating system version as a raw string. | keyword | - - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| process.cpu.start_time | The time when the process was started. | date | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.state | The process state. For example: "running". | keyword | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - diff --git a/packages/system/0.12.2/img/kibana-system.png b/packages/system/0.12.2/img/kibana-system.png deleted file mode 100755 index 8741a56624..0000000000 Binary files a/packages/system/0.12.2/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.12.2/img/metricbeat_system_dashboard.png b/packages/system/0.12.2/img/metricbeat_system_dashboard.png deleted file mode 100755 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.12.2/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.12.2/img/system.svg b/packages/system/0.12.2/img/system.svg deleted file mode 100755 index 0aba96275e..0000000000 --- a/packages/system/0.12.2/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index 2af90db405..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-01c54730-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":59},\"panelIndex\":\"36\",\"panelRefName\":\"panel_1\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":59},\"panelIndex\":\"37\",\"panelRefName\":\"panel_2\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":59},\"panelIndex\":\"38\",\"panelRefName\":\"panel_3\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":81},\"panelIndex\":\"39\",\"panelRefName\":\"panel_4\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":81},\"panelIndex\":\"40\",\"panelRefName\":\"panel_5\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Membership Enumeration Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":81},\"panelIndex\":\"42\",\"panelRefName\":\"panel_6\",\"title\":\"Group Membership Enumeration Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":50},\"panelIndex\":\"43\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Details [System Windows Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"44\",\"w\":16,\"x\":0,\"y\":72},\"panelIndex\":\"44\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"45\",\"w\":9,\"x\":18,\"y\":50},\"panelIndex\":\"45\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"46\",\"w\":9,\"x\":0,\"y\":50},\"panelIndex\":\"46\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"47\",\"w\":9,\"x\":9,\"y\":50},\"panelIndex\":\"47\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"48\",\"w\":17,\"x\":16,\"y\":72},\"panelIndex\":\"48\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"49\",\"w\":15,\"x\":33,\"y\":72},\"panelIndex\":\"49\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"51\",\"w\":48,\"x\":0,\"y\":95},\"panelIndex\":\"51\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"45614e1c-b2bb-4243-9a74-a4bdd0124c87\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"w\":9,\"x\":21,\"y\":8},\"panelIndex\":\"88e75800-8125-4c9e-96b8-5c36f6e91664\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"4b793b8e-72d4-42a2-b377-1c70f0307414\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"w\":26,\"x\":0,\"y\":29},\"panelIndex\":\"82d229f9-44f4-4c4b-baf7-f9673a14c87f\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#82B5D8\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"w\":22,\"x\":26,\"y\":29},\"panelIndex\":\"f44255b0-d9a8-479f-be3f-829c1f6ed794\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#052B51\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A50A1\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A437C\",\"user-member-enumerated\":\"#2F575E\"}}},\"gridData\":{\"h\":21,\"i\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"w\":21,\"x\":0,\"y\":8},\"panelIndex\":\"9c42bff2-b295-4617-8d8c-455bd5948b66\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events - Simple Metrics", - "version": 1 - }, - "id": "windows-01c54730-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "search" - }, - { - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 7da98e0bb3..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-035846a0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Sesiones Usuarios Admin\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Sesiones Usuarios Admin\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Usuarios Adm\"},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":19},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Usuarios Adm\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Network Logon Details\"},\"gridData\":{\"h\":27,\"i\":\"10\",\"w\":22,\"x\":0,\"y\":66},\"panelIndex\":\"10\",\"panelRefName\":\"panel_4\",\"title\":\"Network Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"08245e0c-6afe-43ea-ba5f-76c3b17301fd\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":13,\"i\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"f403fdcc-6588-4573-a949-9e661783a2b8\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"51a9affa-8e96-42bd-98e9-80531bdefc53\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Types\"},\"gridData\":{\"h\":19,\"i\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"w\":12,\"x\":18,\"y\":19},\"panelIndex\":\"bbdca4de-11c5-4957-a74c-73769416a562\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"w\":18,\"x\":30,\"y\":19},\"panelIndex\":\"4df66ae6-e047-47c7-b1a9-b15221eb9d90\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":19,\"x\":18,\"y\":38},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"w\":11,\"x\":37,\"y\":38},\"panelIndex\":\"baec73e7-7166-4577-9483-1252bdd8773c\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":27,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":26,\"x\":22,\"y\":66},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons - Simple Metrics", - "version": 1 - }, - "id": "windows-035846a0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_4", - "type": "search" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 8814d936cf..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 7c1b819642..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 34f78d0da6..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index d2a5ae3be2..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":56},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":56},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":79},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":56},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":79},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":79},\"panelIndex\":\"15\",\"panelRefName\":\"panel_6\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":102},\"panelIndex\":\"16\",\"panelRefName\":\"panel_7\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":102},\"panelIndex\":\"20\",\"panelRefName\":\"panel_8\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":46,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":72},\"panelIndex\":\"22\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":118},\"panelIndex\":\"23\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"24\",\"w\":9,\"x\":0,\"y\":72},\"panelIndex\":\"24\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":49},\"panelIndex\":\"25\",\"panelRefName\":\"panel_12\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"26\",\"w\":9,\"x\":18,\"y\":49},\"panelIndex\":\"26\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"27\",\"w\":9,\"x\":0,\"y\":49},\"panelIndex\":\"27\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"28\",\"w\":9,\"x\":9,\"y\":72},\"panelIndex\":\"28\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":9,\"x\":18,\"y\":72},\"panelIndex\":\"29\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":0,\"y\":95},\"panelIndex\":\"30\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":18,\"y\":95},\"panelIndex\":\"31\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":95},\"panelIndex\":\"32\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"33\",\"w\":9,\"x\":9,\"y\":102},\"panelIndex\":\"33\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":8,\"i\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"cf0adfac-7cf2-479d-8ddb-1edeee62d37c\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#447EBC\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#64B0C8\"}}},\"gridData\":{\"h\":16,\"i\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"w\":17,\"x\":0,\"y\":8},\"panelIndex\":\"a2871661-98a8-489b-b615-e66ebe3b971a\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"w\":18,\"x\":30,\"y\":8},\"panelIndex\":\"e80fae4a-6087-41e1-b4b9-31802cb1e4bf\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"w\":13,\"x\":17,\"y\":8},\"panelIndex\":\"dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":25,\"i\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"29f54335-78db-4c49-a3e0-a641fd0099f6\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#5195CE\",\"disabled-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":23,\"i\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"w\":21,\"x\":27,\"y\":49},\"panelIndex\":\"1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events", - "version": 1 - }, - "id": "windows-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.12.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100755 index 4dba98af12..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 81fed1fd24..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "attributes": { - "description": "User management activity with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":17,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Created Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Created Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Enabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"5\",\"panelRefName\":\"panel_2\",\"title\":\"Enabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Disabled Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":9,\"x\":0,\"y\":80},\"panelIndex\":\"6\",\"panelRefName\":\"panel_3\",\"title\":\"Disabled Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Deleted Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"7\",\"panelRefName\":\"panel_4\",\"title\":\"Deleted Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Passwords Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":9,\"x\":18,\"y\":80},\"panelIndex\":\"9\",\"panelRefName\":\"panel_5\",\"title\":\"Passwords Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"10\",\"w\":9,\"x\":0,\"y\":46},\"panelIndex\":\"10\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":9,\"x\":9,\"y\":46},\"panelIndex\":\"11\",\"panelRefName\":\"panel_7\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":9,\"x\":18,\"y\":46},\"panelIndex\":\"12\",\"panelRefName\":\"panel_8\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":9,\"x\":0,\"y\":71},\"panelIndex\":\"13\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":9,\"x\":18,\"y\":71},\"panelIndex\":\"14\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Unlocked Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"15\",\"w\":9,\"x\":9,\"y\":80},\"panelIndex\":\"15\",\"panelRefName\":\"panel_11\",\"title\":\"Unlocked Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Changes [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":9,\"x\":18,\"y\":105},\"panelIndex\":\"16\",\"panelRefName\":\"panel_12\",\"title\":\"Users Changes [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"17\",\"w\":9,\"x\":0,\"y\":96},\"panelIndex\":\"17\",\"panelRefName\":\"panel_13\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"18\",\"w\":9,\"x\":9,\"y\":71},\"panelIndex\":\"18\",\"panelRefName\":\"panel_14\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"19\",\"w\":9,\"x\":18,\"y\":96},\"panelIndex\":\"19\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Locked-out Users [Windows System Security]\"},\"gridData\":{\"h\":16,\"i\":\"20\",\"w\":9,\"x\":0,\"y\":105},\"panelIndex\":\"20\",\"panelRefName\":\"panel_16\",\"title\":\"Locked-out Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"22\",\"w\":21,\"x\":27,\"y\":73},\"panelIndex\":\"22\",\"panelRefName\":\"panel_17\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"23\",\"w\":48,\"x\":0,\"y\":121},\"panelIndex\":\"23\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":9,\"i\":\"24\",\"w\":9,\"x\":9,\"y\":96},\"panelIndex\":\"24\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"25\",\"w\":9,\"x\":9,\"y\":105},\"panelIndex\":\"25\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"20adcb1b-cebf-4a75-9bc4-eaeeee626c5e\",\"panelRefName\":\"panel_21\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#052B51\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"}}},\"gridData\":{\"h\":19,\"i\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"w\":18,\"x\":0,\"y\":7},\"panelIndex\":\"8aad73ff-37b1-487a-a3f1-b80b93618ac4\",\"panelRefName\":\"panel_22\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"w\":14,\"x\":18,\"y\":7},\"panelIndex\":\"18cc78ac-3f77-4f54-b351-cb94873cae3f\",\"panelRefName\":\"panel_23\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"75f5f1fc-bc7c-4f8f-8e5b-0a52d525aa7d\",\"panelRefName\":\"panel_24\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Actions performed over Users [Windows System Security]\",\"vis\":null},\"gridData\":{\"h\":20,\"i\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"f443b5b0-ada7-426f-ae2f-46573f94f24f\",\"panelRefName\":\"panel_25\",\"title\":\"Actions performed over Users [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\"},\"vis\":{\"colors\":{\"added-user-account\":\"#0A437C\",\"deleted-user-account\":\"#82B5D8\",\"disabled-user-account\":\"#BADFF4\",\"enabled-user-account\":\"#0A50A1\",\"modified-user-account\":\"#2F575E\",\"renamed-user-account\":\"#1F78C1\",\"reset-password\":\"#5195CE\",\"unlocked-user-account\":\"#0A437C\"}}},\"gridData\":{\"h\":27,\"i\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"w\":21,\"x\":27,\"y\":46},\"panelIndex\":\"820c0311-d378-49dc-a614-e0fed2254603\",\"panelRefName\":\"panel_26\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Management Events - Simple Metric", - "version": 1 - }, - "id": "windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_17", - "type": "search" - }, - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "panel_18", - "type": "search" - }, - { - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "name": "panel_24", - "type": "visualization" - }, - { - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "name": "panel_25", - "type": "visualization" - }, - { - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "name": "panel_26", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.12.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100755 index e853fd4613..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.12.2/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100755 index 286c979eb2..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-Winlogbeat-Dashboard.json b/packages/system/0.12.2/kibana/dashboard/system-Winlogbeat-Dashboard.json deleted file mode 100755 index 2299940474..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-Winlogbeat-Dashboard.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of all Windows Event Logs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:system.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:system.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.system)\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[System] Windows Overview", - "version": 1 - }, - "id": "Windows-Dashboard", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-Number-of-Events", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-Top-Event-IDs", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-Event-Levels", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-Sources", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index a07696c194..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "User logon activity dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Admin Users Sessions\"},\"gridData\":{\"h\":28,\"i\":\"1\",\"w\":18,\"x\":0,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Admin Users Sessions\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true,\"title\":\"Administrators Logged On\",\"vis\":{\"colors\":{\"AdminLocalSta\":\"#890F02\",\"NETWORK SERVICE\":\"#1F78C1\",\"SERVICIO LOCAL\":\"#508642\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"3\",\"w\":18,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"title\":\"Administrators Logged On\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details\"},\"gridData\":{\"h\":47,\"i\":\"10\",\"w\":23,\"x\":0,\"y\":62},\"panelIndex\":\"10\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Details\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":6,\"i\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"34fc9633-8a7c-444d-8d19-06095b55fb43\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"67d2409d-3e51-45d5-972f-32a36537e622\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"33d05ce3-f60d-4a31-a668-aa6fab0cc800\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Events Timeline\"},\"gridData\":{\"h\":13,\"i\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"w\":30,\"x\":18,\"y\":6},\"panelIndex\":\"7b3906e6-3a81-450c-bb31-ca0d670440b7\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Events Timeline\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#6ED0E0\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true,\"title\":\"Logon Types\",\"vis\":{\"colors\":{\"CachedInteractive\":\"#6ED0E0\",\"Interactive\":\"#2F575E\",\"Network\":\"#447EBC\",\"RemoteInteractive\":\"#64B0C8\",\"Service\":\"#65C5DB\",\"Unlock\":\"#BADFF4\"},\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"w\":15,\"x\":18,\"y\":19},\"panelIndex\":\"cf50b48e-453c-46fb-ad35-7ccfb7b03de0\",\"panelRefName\":\"panel_8\",\"title\":\"Logon Types\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"w\":15,\"x\":33,\"y\":19},\"panelIndex\":\"a743ffe5-a2ac-4c0b-9b6f-a81563140c42\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"RDP Reconnections and Desconnections\"},\"gridData\":{\"h\":28,\"i\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"w\":18,\"x\":18,\"y\":34},\"panelIndex\":\"454bb008-9720-455e-8ab9-b2f47d25aa4f\",\"panelRefName\":\"panel_10\",\"title\":\"RDP Reconnections and Desconnections\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"w\":12,\"x\":36,\"y\":34},\"panelIndex\":\"29a0e70a-ab23-4d48-8d4e-9a39c5af47ad\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logout Details\"},\"gridData\":{\"h\":46,\"i\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"w\":25,\"x\":23,\"y\":62},\"panelIndex\":\"28115147-8399-4fcd-95ce-ed0a4f4239e3\",\"panelRefName\":\"panel_12\",\"title\":\"Logout Details\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] User Logons", - "version": 1 - }, - "id": "windows-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "panel_3", - "type": "search" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "panel_10", - "type": "search" - }, - { - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "panel_12", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json deleted file mode 100755 index 31718aaa5d..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "attributes": { - "description": "Group management activity.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"22\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"29\",\"w\":16,\"x\":0,\"y\":68},\"panelIndex\":\"29\",\"panelRefName\":\"panel_1\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"30\",\"w\":9,\"x\":18,\"y\":48},\"panelIndex\":\"30\",\"panelRefName\":\"panel_2\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"31\",\"w\":9,\"x\":0,\"y\":48},\"panelIndex\":\"31\",\"panelRefName\":\"panel_3\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"32\",\"w\":9,\"x\":9,\"y\":48},\"panelIndex\":\"32\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"33\",\"w\":17,\"x\":16,\"y\":68},\"panelIndex\":\"33\",\"panelRefName\":\"panel_5\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"34\",\"w\":15,\"x\":33,\"y\":68},\"panelIndex\":\"34\",\"panelRefName\":\"panel_6\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Creation Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"36\",\"w\":9,\"x\":0,\"y\":55},\"panelIndex\":\"36\",\"panelRefName\":\"panel_7\",\"title\":\"Group Creation Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Changes Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"37\",\"w\":9,\"x\":9,\"y\":55},\"panelIndex\":\"37\",\"panelRefName\":\"panel_8\",\"title\":\"Group Changes Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Deletion Summary [Windows System Security]\"},\"gridData\":{\"h\":13,\"i\":\"38\",\"w\":9,\"x\":18,\"y\":55},\"panelIndex\":\"38\",\"panelRefName\":\"panel_9\",\"title\":\"Group Deletion Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Added to Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"39\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"39\",\"panelRefName\":\"panel_10\",\"title\":\"Users Added to Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Users Removed From Group Summary [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"40\",\"w\":17,\"x\":16,\"y\":75},\"panelIndex\":\"40\",\"panelRefName\":\"panel_11\",\"title\":\"Users Removed From Group Summary [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Enumeration - Table [Windows System Security]\"},\"gridData\":{\"h\":14,\"i\":\"42\",\"w\":15,\"x\":33,\"y\":75},\"panelIndex\":\"42\",\"panelRefName\":\"panel_12\",\"title\":\"Group Enumeration - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Details [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"43\",\"w\":21,\"x\":27,\"y\":48},\"panelIndex\":\"43\",\"panelRefName\":\"panel_13\",\"title\":\"Logon Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Operations Details [Windows System Security]\"},\"gridData\":{\"h\":22,\"i\":\"45\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"45\",\"panelRefName\":\"panel_14\",\"title\":\"Group Management Operations Details [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#0A437C\",\"added-member-to-group\":\"#1F78C1\",\"deleted-group-account\":\"#82B5D8\",\"modified-group-account\":\"#052B51\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":20,\"i\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"w\":20,\"x\":0,\"y\":7},\"panelIndex\":\"3f7e277d-09d1-4a79-bc17-bc5da5a7e290\",\"panelRefName\":\"panel_15\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"8cda9d6a-096f-41a5-86e6-09dd1f6b9c98\",\"panelRefName\":\"panel_16\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\"},\"gridData\":{\"h\":20,\"i\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"w\":12,\"x\":20,\"y\":7},\"panelIndex\":\"74edddd5-2dc5-41b8-b4f2-bf9c95218f1b\",\"panelRefName\":\"panel_17\",\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"w\":27,\"x\":0,\"y\":27},\"panelIndex\":\"33cef054-615a-49cb-bb2e-eb55fab96ae5\",\"panelRefName\":\"panel_18\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"},\"vis\":{\"colors\":{\"added-group-account\":\"#1F78C1\",\"added-member-to-group\":\"#0A437C\",\"deleted-group-account\":\"#5195CE\",\"modified-group-account\":\"#0A50A1\",\"removed-member-from-group\":\"#BADFF4\",\"type-changed-group-account\":\"#82B5D8\",\"user-member-enumerated\":\"#447EBC\"}}},\"gridData\":{\"h\":21,\"i\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"e0d495aa-f897-403f-815b-6116fae330b7\",\"panelRefName\":\"panel_19\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"663e0493-2070-407b-9d00-079915cce7e7\",\"panelRefName\":\"panel_20\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Group Management Events", - "version": 1 - }, - "id": "windows-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "panel_13", - "type": "search" - }, - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "panel_14", - "type": "search" - }, - { - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_20", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index b5991808e8..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts with TSVB metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"628de26f-7b7b-457c-b811-e06161e4e7b4\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"01a624c2-7a86-4fa9-89d3-e2ae84e94ec9\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"e3046900-1ffc-4efa-9dab-613d685c617b\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts", - "version": 1 - }, - "id": "windows-d401ef40-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b53893ec0b..0000000000 --- a/packages/system/0.12.2/kibana/dashboard/system-f49f3170-9ffc-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Failed and blocked accounts.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#E24D42\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Login Successful vs Failed\",\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#BF1B00\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Login Successful vs Failed\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Blocked Acoounts\"},\"gridData\":{\"h\":21,\"i\":\"3\",\"w\":11,\"x\":12,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"Blocked Acoounts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#E24D42\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true,\"title\":\"Logon Successful and Failed Over time\",\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#BF1B00\",\"Logon Successful\":\"#9AC48A\"},\"legendOpen\":true}},\"gridData\":{\"h\":18,\"i\":\"4\",\"w\":23,\"x\":12,\"y\":7},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"Logon Successful and Failed Over time\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed (Time Mosaic View)\",\"vis\":{\"defaultColors\":{\"0 - 5\":\"rgb(255,245,240)\",\"10 - 15\":\"rgb(252,138,106)\",\"15 - 20\":\"rgb(241,68,50)\",\"20 - 24\":\"rgb(188,20,26)\",\"5 - 10\":\"rgb(253,202,181)\"},\"legendOpen\":false}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"title\":\"Logon Failed (Time Mosaic View)\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed and Account Lockouts\"},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"title\":\"Logon Failed and Account Lockouts\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Logon Failed Source IPs\"},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"10\",\"panelRefName\":\"panel_7\",\"title\":\"Logon Failed Source IPs\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"Failed Logins Table\"},\"gridData\":{\"h\":31,\"i\":\"11\",\"w\":25,\"x\":23,\"y\":25},\"panelIndex\":\"11\",\"panelRefName\":\"panel_8\",\"title\":\"Failed Logins Table\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":7,\"i\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a79ee89f-ff45-486c-9788-9446d39456c2\",\"panelRefName\":\"panel_9\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"w\":11,\"x\":12,\"y\":25},\"panelIndex\":\"7765df59-11c4-476d-898f-9ebf98c369e2\",\"panelRefName\":\"panel_10\",\"version\":\"7.7.0\"},{\"embeddableConfig\":{\"title\":\"\"},\"gridData\":{\"h\":10,\"i\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"w\":12,\"x\":0,\"y\":25},\"panelIndex\":\"b47c91d3-58c4-4b5b-b302-444b048efdfa\",\"panelRefName\":\"panel_11\",\"version\":\"7.7.0\"}]", - "timeRestore": false, - "title": "[System Windows Security] Failed and Blocked Accounts - Simple Metrics", - "version": 1 - }, - "id": "windows-f49f3170-9ffc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "name": "panel_6", - "type": "search" - }, - { - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 855283756c..0000000000 --- a/packages/system/0.12.2/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "id": "windows-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100755 index c8b43b2e5e..0000000000 --- a/packages/system/0.12.2/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.12.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100755 index abdd218801..0000000000 --- a/packages/system/0.12.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/0.12.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100755 index 7da0171a43..0000000000 --- a/packages/system/0.12.2/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "id": "windows-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100755 index 1bd6621baa..0000000000 --- a/packages/system/0.12.2/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4740\"],\"type\":\"phrases\",\"value\":\"4625, 4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4740\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "id": "windows-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100755 index 6b0a39627c..0000000000 --- a/packages/system/0.12.2/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index ae1484339a..0000000000 --- a/packages/system/0.12.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100755 index daa2105b0b..0000000000 --- a/packages/system/0.12.2/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-Syslog-system-logs.json b/packages/system/0.12.2/kibana/search/system-Syslog-system-logs.json deleted file mode 100755 index 6a2ef982d2..0000000000 --- a/packages/system/0.12.2/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index e64a483853..0000000000 --- a/packages/system/0.12.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json deleted file mode 100755 index 71bb7ef90e..0000000000 --- a/packages/system/0.12.2/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "id": "windows-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index e05ac92d9b..0000000000 --- a/packages/system/0.12.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 990831f624..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-006d75f0-9c03-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Types [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Logon Types [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-006d75f0-9c03-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index be217ccae6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Users Enabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Enabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Enabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-0620c3d0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index ce6162e247..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-0622da40-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Administrator Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,49,0,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4672\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Administrator Logons\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Administrator Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-0622da40-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 40175102f6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 5976994a0e..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Disabled Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Disabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0cb2d940-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json deleted file mode 100755 index 4f9e00daa9..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-0f2f5280-feeb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4799\"},\"type\":\"phrase\",\"value\":\"4799\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4799\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Membership Enumeration - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Group Membership Enumerated\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Blues\",\"colorsRange\":[{\"from\":0,\"to\":500,\"type\":\"range\"},{\"from\":500,\"to\":20000},{\"from\":20000,\"to\":30000},{\"from\":30000,\"to\":40000}],\"invertColors\":true,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Group Membership Enumeration - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-0f2f5280-feeb-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 72d6ab928a..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-102efd20-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-102efd20-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 81a2dbc572..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-117f5a30-9b71-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Target Users [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Target Users [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-117f5a30-9b71-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8c5d8b0366..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index af34020d93..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-162d7ab0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful - Logon Failed Timeline [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Login Failed\":\"#F9934E\",\"Login OK\":\"#9AC48A\",\"Logon Failed\":\"#EF843C\",\"Logon Successful\":\"#9AC48A\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Logon Successful\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Logon Failed\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-07-16T14:30:11.515Z\",\"min\":\"2019-07-16T12:30:11.514Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT1M\"}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Successful - Logon Failed Timeline [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-162d7ab0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index f297060faf..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-175a5760-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Successful vs Failed [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Failed Logins\":\"#EF843C\",\"Failed Logons\":\"#EA6460\",\"Successful Login\":\"#B7DBAB\",\"Successful Logon\":\"#B7DBAB\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4624\"},\"label\":\"Successful Logon\"},{\"input\":{\"language\":\"lucene\",\"query\":\"event.code: 4625\"},\"label\":\"Failed Logons\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"filters\",\"format\":{},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Logon Successful vs Failed [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-175a5760-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json deleted file mode 100755 index ed999cad48..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-18348f30-a24d-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Logon Dashboard [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"## **Logon Information Dashboard**\",\"openLinksInNewTab\":false},\"title\":\"User Logon Dashboard [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-18348f30-a24d-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.12.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100755 index dfaa630e4a..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.12.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 1c420ec4c8..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json deleted file mode 100755 index 25769759b6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-1b5f17d0-feea-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Removed from Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":9},{\"from\":9,\"to\":13},{\"from\":13,\"to\":17},{\"from\":17,\"to\":20000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Removed from Group - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-1b5f17d0-feea-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 8e66316843..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-1b6725f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Unlocks - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(116,167,167,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4767\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Unlocks\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Unlocks - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1b6725f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 484d0a4e46..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-1f271bc0-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Renamed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(110,139,162,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4781\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Renamed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Renamed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-1f271bc0-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json deleted file mode 100755 index a9120ab5fe..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-2084e300-a884-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Source IP [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":38,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":10,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Source IP [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-2084e300-a884-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 856a3b952b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-21aadac0-9c0b-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "savedSearchRefName": "search_0", - "title": "Logon Sources [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Sources [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-21aadac0-9c0b-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1a69934c0e..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-25f31ee0-9c23-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4648\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4648\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon with Explicit Credentials [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":200},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"subjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon with Explicit Credentials [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-25f31ee0-9c23-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 2ca5154a30..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 5f69654d68..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-26877510-9b72-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"User Management Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-26877510-9b72-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 642657604a..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-2c71e0f0-9c0d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4624\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-2c71e0f0-9c0d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 1665d338ef..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "User Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **User Management Events**\\n\\n#### This dashboard shows information about User Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"User Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 75186de954..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.12.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100755 index 464f6c729c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 38ebd23ecd..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-33462600-9b47-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Management Events - Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-33462600-9b47-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.12.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100755 index f155739938..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 0ad2f78f65..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.12.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100755 index 89d9b0fae2..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.12.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100755 index c9e1455d68..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.12.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100755 index 467738abc7..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index bb1b70ae03..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-400b63e0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Changed TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4735 OR event.code:4737 OR event.code:\\\"4755\\\" OR event.code:\\\"4764\\\" OR event.code:\\\"4750\\\" OR event.code:\\\"4760\\\" OR event.code:\\\"4745\\\" OR event.code:\\\"4784\\\" OR event.code:\\\"4791\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"60d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Changed\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Changed TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-400b63e0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json deleted file mode 100755 index 4a1aa9d3c1..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-421f0610-af98-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4625\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time Bucket\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"source workstation\",\"field\":\"source.domain\",\"json\":\"{\\\"missing\\\": \\\"N/A\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"source.ip\",\"field\":\"source.ip\",\"json\":\"{\\\"missing\\\": \\\"::\\\"}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"winlog.logon.type\",\"field\":\"winlog.logon.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"winlog.event_data.SubjectUserName\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":15,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logon Failed Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-421f0610-af98-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 17ebedc7ae..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\",\"value\":\"4740\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Locked Out - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Locked Out - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-4ac8f5f0-bcfe-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json deleted file mode 100755 index b23bd8e0c2..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-4b683ac0-a7d7-11e9-a422-d144027429da.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\"],\"type\":\"phrases\",\"value\":\"4625\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon HeatMap [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 4\":\"rgb(255,255,204)\",\"12 - 16\":\"rgb(252,91,46)\",\"16 - 20\":\"rgb(212,16,32)\",\"4 - 8\":\"rgb(254,225,135)\",\"8 - 12\":\"rgb(254,171,73)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":true,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"h\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-17T09:37:55.995Z\",\"to\":\"2020-05-22T03:09:27.260Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"group\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTooltip\":false,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":5,\"colorsRange\":[],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per hour\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"bottom\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Failed Logon HeatMap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-4b683ac0-a7d7-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 87a436f81d..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-4bedf650-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": " Failed Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Failed Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\" Failed Logons [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-4bedf650-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100755 index cd04472792..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 4bdb84e270..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index efa1f752dd..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bd07f29ec0..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json deleted file mode 100755 index 65591c57a4..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-546febc0-f49b-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Enumeration - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(128,128,128,1)\",\"color\":\"rgba(179,179,179,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0},{\"background_color\":\"rgba(179,179,179,1)\",\"id\":\"8d3f3ed0-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"lte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4799\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Group Membership Enumeration\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Enumeration - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-546febc0-f49b-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index d8ddc0b1ed..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-568a8130-bcde-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Reset / Changes [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Password Changes\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Password Reset / Changes [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-568a8130-bcde-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 453faebe12..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-58fb9480-9b46-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Target Groups - Tag Cloud [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":58,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Group Management Events - Target Groups - Tag Cloud [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-58fb9480-9b46-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.12.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100755 index e5419418c6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json deleted file mode 100755 index 75aeb12e0d..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5bb93ed0-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Admin Logons Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Admin Logons\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Admin Logons Simple [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5bb93ed0-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 112d3d6530..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 6807ba0f16..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5c9ee410-9b74-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Event Actions - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"event.action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"event.code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Event Actions - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5c9ee410-9b74-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 45c348d026..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5d117970-9ffd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4740\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Blocked Accounts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Blocked Accounts\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Blocked Accounts [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d117970-9ffd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b34bc8bc80..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5d92b100-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4738\"],\"type\":\"phrases\",\"value\":\"4738\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4738\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Changes in Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5d92b100-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index bc04c92dd4..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json deleted file mode 100755 index acd93693a8..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5e19ff80-231c-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4781\"],\"type\":\"phrases\",\"value\":\"4781\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4781\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Renamed Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Renamed - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5e19ff80-231c-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 4e4497d0a4..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4720\"},\"type\":\"phrase\",\"value\":\"4720\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4720\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Created User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-5e7f0ed0-bcd2-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json deleted file mode 100755 index 13589095b5..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-5eeaafd0-fee7-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted- Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Deleted\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Greens\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Deleted- Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-5eeaafd0-fee7-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 520406bfb6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-60301890-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Password Changes - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(154,196,198,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4723\\\" OR event.code: \\\"4724\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Password Changes/Reset\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Password Changes - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-60301890-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.12.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100755 index 22a26c29d4..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json deleted file mode 100755 index ea065ce6e3..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-6f0f2ea0-f414-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Management Events - Description [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"# **Group Management Events**\\n\\n#### This dashboard shows information about Group Management Events collected by winlogbeat\\n\",\"openLinksInNewTab\":false},\"title\":\"Group Management Events - Description [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-6f0f2ea0-f414-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json deleted file mode 100755 index da850bf332..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-729443b0-a7d6-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4625\",\"4771\"],\"type\":\"phrases\",\"value\":\"4625, 4771\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4625\"}},{\"match_phrase\":{\"event.code\":\"4771\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Failed Acconts [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":37,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":15,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Logon Failed Acconts [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-729443b0-a7d6-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index 2e5508620f..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-7322f9f0-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Deleted - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4726\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Deleted - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-7322f9f0-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.12.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100755 index c119c156ea..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json deleted file mode 100755 index 9f8332e30b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-7a329a00-a7d5-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4740\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4740\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security \"}}" - }, - "title": "Blocked Accounts Tag [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"type\":\"vis_dimension\"},\"maxFontSize\":53,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Blocked Accounts Tag [Windows System Security]\",\"type\":\"tagcloud\"}" - }, - "id": "windows-7a329a00-a7d5-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index e89f3a3690..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index de0df1178e..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-7de2e3f0-9b4d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":25},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Group Management Action Distribution over Time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-7de2e3f0-9b4d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json deleted file mode 100755 index deaa80ec24..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-804dd400-a248-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4672\"],\"type\":\"phrases\",\"value\":\"4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logged on Administrators [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Date\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"bucket\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"user.name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"# Thread\",\"field\":\"winlog.process.thread.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"Fecha - Hora \",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"Usuario\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"# Thread\",\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"winlog.logon.id: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Cantidad Eventos \",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Logged on Administrators [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-804dd400-a248-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.12.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100755 index 172b24f43c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index dc7c7ab1d6..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 7a45abc403..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-84502430-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4740\"],\"type\":\"phrases\",\"value\":\"4740\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4740\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Unlocks - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Locked Out\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Unlocks - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-84502430-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100755 index ae48f968a3..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 09e960ac14..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-855957d0-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4722\"},\"type\":\"phrase\",\"value\":\"4722\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4722\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Enabled - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Enabled\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Enabled - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-855957d0-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 0849027a3c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-860706a0-9bfd-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "User Logons [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"d5bcde50-9bfc-11ea-aaa3-618beeff2d9c\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(7,139,141,1)\",\"id\":\"16018150-9bfd-11ea-aaa3-618beeff2d9c\",\"operator\":\"gte\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4624\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Logons \",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"User Logons [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-860706a0-9bfd-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index ef50f8a93f..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-8ef59f90-6ab8-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Failed Logons TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4625\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Failed Logon\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Failed Logons TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-8ef59f90-6ab8-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 2afa9ee825..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4725\"},\"type\":\"phrase\",\"value\":\"4725\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4725\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Disabled - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Disabled User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Disabled - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-8f20c950-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.12.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 172bcb8f2c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json deleted file mode 100755 index ac78018683..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-97c70300-ff1c-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Disabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(79,147,150,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4725\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Disabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Disabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-97c70300-ff1c-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index a227b7f0c3..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-98884120-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Created - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-98884120-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index 66e166e22e..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index aa6560812c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-9dd22440-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users locked Out - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"((data_stream.dataset:windows.security OR data_stream.dataset:system.security) AND event.code: \\\"4740\\\")\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Locked Out\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users locked Out - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-9dd22440-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index d81092dc2b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-9e534190-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-9e534190-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Event-Levels.json b/packages/system/0.12.2/kibana/visualization/system-Event-Levels.json deleted file mode 100755 index 80ebd07044..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Event-Levels.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Event Levels [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Levels\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Event Levels [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Event-Levels", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Navigation.json b/packages/system/0.12.2/kibana/visualization/system-Navigation.json deleted file mode 100755 index d996678974..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json b/packages/system/0.12.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json deleted file mode 100755 index cb42f617bc..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Number-of-Events-Over-Time-By-Event-Log.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events Over Time By Channel [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15d\",\"mode\":\"relative\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Channel\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":6},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"bounds\":{\"max\":\"2019-02-05T04:30:25.961Z\",\"min\":\"2019-01-21T04:30:25.961Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":43200000}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"Number of Events Over Time By Channel [Windows Overview]\",\"type\":\"histogram\"}" - }, - "id": "windows-Number-of-Events-Over-Time-By-Event-Log", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Number-of-Events.json b/packages/system/0.12.2/kibana/visualization/system-Number-of-Events.json deleted file mode 100755 index 34ecef7340..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Number-of-Events.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Number of Events [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"fontSize\":60},\"type\":\"metric\"}" - }, - "id": "windows-Number-of-Events", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Sources.json b/packages/system/0.12.2/kibana/visualization/system-Sources.json deleted file mode 100755 index b58d86fd65..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Sources.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Sources (Provider Names) [Windows Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"Sources (Provider Names) [Windows Overview]\",\"type\":\"pie\"}" - }, - "id": "windows-Sources", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.12.2/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100755 index 97fdb33425..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.12.2/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100755 index 3fe992e28b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-Top-Event-IDs.json b/packages/system/0.12.2/kibana/visualization/system-Top-Event-IDs.json deleted file mode 100755 index 0b4d5b0b54..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-Top-Event-IDs.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Top Event IDs [Windows Overview]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event IDs\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Event IDs [Windows Overview]\",\"type\":\"table\"}" - }, - "id": "windows-Top-Event-IDs", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json deleted file mode 100755 index 8337095049..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-a13bf640-fee8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Added to Groups\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Added - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-a13bf640-fee8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 40e5998021..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-a3c3f350-9b6d-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Dashboard links [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows Overview](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-bae11b00-9bfc-11ea-87e4-49f31ec44891) | [Logon Failed and Account Lockout](#/dashboard/windows-d401ef40-a7d5-11e9-a422-d144027429da) | [User Management Events](#/dashboard/windows-71f720f0-ff18-11e9-8405-516218e3d268) | [Group Management Events](#/dashboard/windows-bb858830-f412-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-a3c3f350-9b6d-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json deleted file mode 100755 index 920ea3a521..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-a5f664c0-f49a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Removed - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"11604700-9b51-11ea-99a1-e5b989979a59\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4733 OR event.code:4729 OR event.code:4788 OR event.code:4786 OR event.code:4752 OR event.code:4762 OR event.code:4747\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Removed from Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Removed - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a5f664c0-f49a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 5353bdc134..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-a79395f0-6aba-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Blocked Accounts TSVB [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"color\":\"rgba(51,51,51,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(102,102,102,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4740\\\"\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Blocked Accounts\",\"line_width\":1,\"metrics\":[{\"field\":\"user.name\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"cardinality\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Blocked Accounts TSVB [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a79395f0-6aba-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json b/packages/system/0.12.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json deleted file mode 100755 index 4763c28e8b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-a909b930-685f-11ea-896f-0d70f7ec3956.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Logon Events Timeline [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" or event.code: \\\"4624\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(226,115,0,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\"\"},\"id\":\"7560ee50-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Admin logons\"},{\"color\":\"rgba(164,221,243,1)\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\"\"},\"id\":\"80e7fb10-685f-11ea-8d46-c19e41702dd4\",\"label\":\"Logon Events\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Logon Events Timeline [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-a909b930-685f-11ea-896f-0d70f7ec3956", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 1dc4eee51a..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-aa31c9d0-9b75-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-aa31c9d0-9b75-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 2dd21f0794..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index b6cba2acef..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4767\"],\"type\":\"phrases\",\"value\":\"4767\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4767\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Users Unlocks\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unlocked Users - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-ab6f8d80-bce8-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 054ff48881..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-abd44840-9c0f-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\",\"4672\"],\"type\":\"phrases\",\"value\":\"4624, 4672\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}},{\"match_phrase\":{\"event.code\":\"4672\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Logon Events in Time - Simple [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Admin Logons\":\"#E24D42\",\"Logon Events\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-05-20T07:35:27.496Z\",\"to\":\"2020-05-22T00:01:10.239Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4624\\\" \"},\"label\":\"Logon Events\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4672\\\" \"},\"label\":\"Admin Logons\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Logon Events in Time - Simple [Windows System Security]\",\"type\":\"line\"}" - }, - "id": "windows-abd44840-9c0f-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index a9023084a8..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-abf96c10-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4738\"},\"type\":\"phrase\",\"value\":\"4738\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4738\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Changes Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Changed User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Changes Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-abf96c10-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index a5489335cf..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-b5f38780-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4735\",\"4737\",\"4755\",\"4750\",\"4760\",\"4745\",\"4791\",\"4784\",\"4764\"],\"type\":\"phrases\",\"value\":\"4735, 4737, 4755, 4750, 4760, 4745, 4791, 4784, 4764\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4791\"}},{\"match_phrase\":{\"event.code\":\"4784\"}},{\"match_phrase\":{\"event.code\":\"4764\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Changes - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Changed\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Yellow to Red\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":5},{\"from\":5,\"to\":10},{\"from\":10,\"to\":15},{\"from\":15,\"to\":20},{\"from\":20,\"to\":100000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Changes - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-b5f38780-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json deleted file mode 100755 index b3357604ea..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-b89b0c90-9b41-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Event Actions [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Group Management Events - Event Actions [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-b89b0c90-9b41-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json deleted file mode 100755 index b3122f32a9..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-bb9cf7a0-f49d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4734\",\"4730\",\"4758\",\"4748\",\"4763\",\"4753\",\"4792\",\"4789\"],\"type\":\"phrases\",\"value\":\"4734, 4730, 4758, 4748, 4763, 4753, 4792, 4789\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4748\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4792\"}},{\"match_phrase\":{\"event.code\":\"4789\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performer LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Groups Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bb9cf7a0-f49d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json deleted file mode 100755 index 04eba5572b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-bc165210-f4b8-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4799\"],\"type\":\"phrases\",\"value\":\"4799\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4799\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Group Enumeration - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Creator\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Creator LogonID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":4,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Group Enumeration - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-bc165210-f4b8-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json deleted file mode 100755 index cfa442464c..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-bf45dc50-ff1a-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Enabled - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(203,142,136,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4722\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Enabled\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Enabled - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-bf45dc50-ff1a-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 50aa47d6d7..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json deleted file mode 100755 index a5502e1ded..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-c2ea73f0-a4bd-11e9-a422-d144027429da.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Failed Logon and Account Lockout [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### **Failed Logons and Account Lockouts**\",\"openLinksInNewTab\":false},\"title\":\"Failed Logon and Account Lockout [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-c2ea73f0-a4bd-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index e3028daa19..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-c359b020-bcdd-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Deleted Users\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Users Deleted - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-c359b020-bcdd-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.12.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100755 index bbdd02df29..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.12.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100755 index a781526538..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json deleted file mode 100755 index 40d898c6e3..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-c9d959f0-ff1d-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Changes TS VB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(221,186,64,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4738\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Changes\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Changes TS VB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-c9d959f0-ff1d-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json deleted file mode 100755 index f179ea214d..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-caf4d2b0-9b76-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Distribution in time [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Distribution in time [Windows System Security]\",\"type\":\"histogram\"}" - }, - "id": "windows-caf4d2b0-9b76-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-324686c0-fefb-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json deleted file mode 100755 index 7ff817a3ea..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ce867840-f49e-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4732\",\"4728\",\"4756\",\"4751\",\"4761\",\"4746\",\"4785\",\"4787\"],\"type\":\"phrases\",\"value\":\"4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4785\"}},{\"match_phrase\":{\"event.code\":\"4787\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Added - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Added - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ce867840-f49e-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.12.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100755 index 7d3a140c7b..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.12.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100755 index 409529a0d5..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index bc6234f906..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json deleted file mode 100755 index 4fbf0e757e..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d3a5fec0-ff18-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Created - TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"8d597960-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a3f59730-ff18-11e9-8249-2371c695f3b0\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4720\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Created - TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-d3a5fec0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 4a1a669662..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json deleted file mode 100755 index be99e9e1a7..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-d770b040-9b35-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.application OR data_stream.dataset:windows.forwarded OR data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational OR data_stream.dataset:windows.security OR data_stream.dataset:windows.sysmon_operational OR data_stream.dataset:windows.system OR data_stream.dataset:system.application OR data_stream.dataset:system.security OR data_stream.dataset:system.system)\"}}" - }, - "title": "Dashboard links - Simple [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Windows General Dashboard](#/dashboard/Windows-Dashboard) | [User Logon Information](#/dashboard/windows-035846a0-a249-11e9-a422-d144027429da?) | [Logon failed and Account Lockout](#/dashboard/windows-f49f3170-9ffc-11ea-87e4-49f31ec44891) | [User Management Events](#/dashboard/windows-8223bed0-b9e9-11e9-b6a2-c9b4015c4baf) | [Group Management Events](#/dashboard/windows-01c54730-fee6-11e9-8405-516218e3d268)\",\"openLinksInNewTab\":false},\"title\":\"Dashboard links - Simple [Windows System Security]\",\"type\":\"markdown\"}" - }, - "id": "windows-d770b040-9b35-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 29b2307260..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-da2110c0-bcea-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4767\"},\"type\":\"phrase\",\"value\":\"4767\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4767\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Unlocked Users - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Unlocked User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer Logonid\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Unlocked Users - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da2110c0-bcea-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 27533dc793..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4723\",\"4724\"],\"type\":\"phrases\",\"value\":\"4723, 4724\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Password Changes - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Password Change to\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Password Changes - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-da5ffe40-bcd9-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.12.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100755 index 16dd4ec2e5..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.12.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100755 index 0de4eae928..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.12.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100755 index 8bc2dd67ee..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json b/packages/system/0.12.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json deleted file mode 100755 index 8b24cd66d5..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-e20c02d0-9b48-11ea-87e4-49f31ec44891.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Groups\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":true},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Group Management Events - Groups vs Actions - Heatmap [Windows System Security]\",\"type\":\"heatmap\"}" - }, - "id": "windows-e20c02d0-9b48-11ea-87e4-49f31ec44891", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json deleted file mode 100755 index fa97c1bb70..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-e22c6f40-f498-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Deleted TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(228,155,75,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4734 OR event.code:4730 OR event.code:4758 OR event.code:4753 OR event.code:4763 OR event.code:4748 OR event.code:4789 OR event.code:4792\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Deleted\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Deleted TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-e22c6f40-f498-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json b/packages/system/0.12.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json deleted file mode 100755 index de6a2d6e79..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-e2516c10-a249-11e9-a422-d144027429da.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4672\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4672\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Administrator Users [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"winlog.logon.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/s/siem\",\"origin\":\"https://192.168.1.72:5601\",\"pathname\":\"/s/siem/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of winlog.logon.id\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"type\":\"pie\"},\"title\":\"Administrator Users [Windows System Security]\",\"type\":\"pie\"}" - }, - "id": "windows-e2516c10-a249-11e9-a422-d144027429da", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json b/packages/system/0.12.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json deleted file mode 100755 index 92704f61b4..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4726\"},\"type\":\"phrase\",\"value\":\"4726\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4726\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Deleted - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Deleted User\",\"field\":\"winlog.event_data.TargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performed LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Deleted - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-ee0319a0-bcd4-11e9-b6a2-c9b4015c4baf", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json deleted file mode 100755 index 9fe3b6d974..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ee292bc0-f499-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Groups Created TSVB Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(200,201,197,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gt\",\"value\":0}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4731 OR event.code:4727 OR event.code:\\\"4754\\\" OR event.code:\\\"4749\\\" OR event.code:\\\"4759\\\" OR event.code:\\\"4744\\\" OR event.code:\\\"4783\\\" OR event.code:\\\"4790\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Groups Created\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Groups Created TSVB Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ee292bc0-f499-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.12.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100755 index 485b755000..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json deleted file mode 100755 index be6236125f..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-f42f3b20-fee6-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4727\",\"4754\",\"4744\",\"4759\",\"4779\",\"4790\",\"4783\"],\"type\":\"phrases\",\"value\":\"4731, 4727, 4754, 4744, 4759, 4779, 4790, 4783\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4779\"}},{\"match_phrase\":{\"event.code\":\"4790\"}},{\"match_phrase\":{\"event.code\":\"4783\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Groups Created - Simple Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Groups Created\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Reds\",\"colorsRange\":[{\"from\":0,\"to\":1,\"type\":\"range\"},{\"from\":1,\"to\":10},{\"from\":10,\"to\":20},{\"from\":20,\"to\":9999}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"Labels\",\"percentageMode\":false,\"style\":{\"bgColor\":true,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Groups Created - Simple Metric [Windows System Security]\",\"type\":\"metric\"}" - }, - "id": "windows-f42f3b20-fee6-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json deleted file mode 100755 index 48a9eef8da..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-fa876300-231a-11ea-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4781\"},\"type\":\"phrase\",\"value\":\"4781\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4781\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Renamed - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Old User Name\",\"field\":\"winlog.event_data.OldTargetUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Performer LogonId\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Renamed - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fa876300-231a-11ea-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.12.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100755 index 86576781aa..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json deleted file mode 100755 index 4ca79e5282..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-fee83900-f49f-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4733\",\"4729\",\"4757\",\"4786\",\"4788\",\"4752\",\"4762\",\"4747\"],\"type\":\"phrases\",\"value\":\"4733, 4729, 4757, 4786, 4788, 4752, 4762, 4747\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4786\"}},{\"match_phrase\":{\"event.code\":\"4788\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4747\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"}}" - }, - "title": "Users Removed from Group - Table [Windows System Security]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.event_data.MemberName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Group\",\"field\":\"group.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"group.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Performed by\",\"field\":\"winlog.event_data.SubjectUserName\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Performed by Logon ID\",\"field\":\"winlog.logon.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":3,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":4,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":5,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users Removed from Group - Table [Windows System Security]\",\"type\":\"table\"}" - }, - "id": "windows-fee83900-f49f-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json b/packages/system/0.12.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json deleted file mode 100755 index a4964edb78..0000000000 --- a/packages/system/0.12.2/kibana/visualization/system-ffebe440-f419-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Users Added - Metric [Windows System Security]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"background_color\":\"rgba(204,204,204,1)\",\"id\":\"bfcaced0-f419-11e9-928e-8f5fd2b6c66e\",\"operator\":\"lte\",\"value\":0},{\"background_color\":\"rgba(181,99,93,1)\",\"id\":\"a7d935e0-f497-11e9-928e-8f5fd2b6c66e\",\"operator\":\"gte\",\"value\":1}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"event.code:4732 OR event.code:4728 OR event.code:4756 OR event.code:4751 OR event.code:4761 OR event.code:4746 OR event.code:4785 OR event.code:4787\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"90d\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Users Added to Group\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"metric\"},\"title\":\"Users Added - Metric [Windows System Security]\",\"type\":\"metrics\"}" - }, - "id": "windows-ffebe440-f419-11e9-8405-516218e3d268", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.12.2/manifest.yml b/packages/system/0.12.2/manifest.yml deleted file mode 100755 index 281f9a6500..0000000000 --- a/packages/system/0.12.2/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.12.2 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.13.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: winlog - title: 'Collect events from the Windows event log' - description: 'Collecting events from Windows event log' - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics - vars: - - name: system.hostfs - type: text - title: Proc Filesystem Directory - multi: false - required: false - show_user: true - description: The proc filesystem base directory. - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false -owner: - github: elastic/integrations diff --git a/packages/system/0.9.2/data_stream/auth/agent/stream/log.yml.hbs b/packages/system/0.9.2/data_stream/auth/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.9.2/data_stream/auth/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.json b/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 8df0a77e58..0000000000 --- a/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "description": "Pipeline for parsing system authorisation/secure logs", - "processors": [ - { - "grok": { - "field": "message", - "ignore_missing": true, - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*", - "TIMESTAMP": "(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})" - }, - "patterns": [ - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: \\s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$", - "%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.auth.message}" - ] - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.auth.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "set": { - "field": "source.ip", - "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.auth.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.auth.timestamp" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_failure": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "ignore_failure": true, - "source": "if (ctx.system.auth.ssh.event == \"Accepted\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_success\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"success\"; } else if (ctx.system.auth.ssh.event == \"Invalid\" || ctx.system.auth.ssh.event == \"Failed\") { if (!ctx.containsKey(\"event\")) { ctx.event = [:]; } ctx.event.type = \"authentication_failure\"; ctx.event.category = \"authentication\"; ctx.event.action = \"ssh_login\"; ctx.event.outcome = \"failure\"; }" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 9f7c43959d..0000000000 --- a/packages/system/0.9.2/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -description: Pipeline for parsing system authorisation/secure logs -processors: -- grok: - field: message - ignore_missing: true - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - TIMESTAMP: (?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) - patterns: - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user - )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} - ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - \s*%{DATA:user.name} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} - ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, - home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$' - - '%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.auth.message}' -- remove: - field: message -- rename: - field: system.auth.message - target_field: message - ignore_missing: true -- set: - field: source.ip - value: '{{system.auth.ssh.dropped_ip}}' - if: "ctx?.system?.auth?.ssh?.dropped_ip != null" -- date: - if: ctx.event.timezone == null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.auth.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.auth.timestamp -- geoip: - field: source.ip - target_field: source.geo - ignore_failure: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: event.kind - value: event -- script: - lang: painless - ignore_failure: true - source: >- - if (ctx.system.auth.ssh.event == "Accepted") { - ctx.event.type = ["authentication_success", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "success"; - } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { - ctx.event.type = ["authentication_failure", "info"]; - ctx.event.category = ["authentication"]; - ctx.event.action = "ssh_login"; - ctx.event.outcome = "failure"; - } - -- append: - field: event.category - value: iam - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- set: - field: event.outcome - value: success - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: user - if: "ctx?.process?.name != null && ['useradd', 'userdel', 'usermod'].contains(ctx.process.name)" -- append: - field: event.type - value: group - if: "ctx?.process?.name != null && ['groupadd', 'groupdel', 'groupmod'].contains(ctx.process.name)" -- append: - field: event.type - value: creation - if: "ctx?.process?.name != null && ['useradd', 'groupadd'].contains(ctx.process.name)" -- append: - field: event.type - value: deletion - if: "ctx?.process?.name != null && ['userdel', 'groupdel'].contains(ctx.process.name)" -- append: - field: event.type - value: change - if: "ctx?.process?.name != null && ['usermod', 'groupmod'].contains(ctx.process.name)" -- append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.9.2/data_stream/auth/fields/agent.yml b/packages/system/0.9.2/data_stream/auth/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/auth/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/auth/fields/base-fields.yml b/packages/system/0.9.2/data_stream/auth/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/auth/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/auth/fields/ecs.yml b/packages/system/0.9.2/data_stream/auth/fields/ecs.yml deleted file mode 100644 index 2a84b338b1..0000000000 --- a/packages/system/0.9.2/data_stream/auth/fields/ecs.yml +++ /dev/null @@ -1,187 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.9.2/data_stream/auth/fields/fields.yml b/packages/system/0.9.2/data_stream/auth/fields/fields.yml deleted file mode 100644 index 1e7b044f02..0000000000 --- a/packages/system/0.9.2/data_stream/auth/fields/fields.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: system.auth - type: group - fields: - - name: ssh - type: group - fields: - - name: method - type: keyword - description: | - The SSH authentication method. Can be one of "password" or "publickey". - - name: signature - type: keyword - description: | - The signature of the client public key. - - name: dropped_ip - type: ip - description: | - The client IP from SSH connections that are open and immediately dropped. - - name: event - type: keyword - description: | - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - name: geoip - type: group - - name: sudo - type: group - fields: - - name: error - type: keyword - description: | - The error message in case the sudo command failed. - - name: tty - type: keyword - description: | - The TTY where the sudo command is executed. - - name: pwd - type: keyword - description: | - The current directory where the sudo command is executed. - - name: user - type: keyword - description: | - The target user to which the sudo command is switching. - - name: command - type: keyword - description: | - The command executed via sudo. - - name: useradd - type: group - fields: - - name: home - type: keyword - description: The home folder for the new user. - - name: shell - type: keyword - description: The default shell for the new user. - - name: groupadd - type: group diff --git a/packages/system/0.9.2/data_stream/auth/manifest.yml b/packages/system/0.9.2/data_stream/auth/manifest.yml deleted file mode 100644 index 428764ece1..0000000000 --- a/packages/system/0.9.2/data_stream/auth/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System auth logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/auth.log* - - /var/log/secure* - template_path: log.yml.hbs - title: System auth logs (log) - description: Collect System auth logs using log input diff --git a/packages/system/0.9.2/data_stream/core/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/core/agent/stream/stream.yml.hbs deleted file mode 100644 index 38d25572bd..0000000000 --- a/packages/system/0.9.2/data_stream/core/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5 +0,0 @@ -metricsets: ["core"] -core.metrics: -{{#each core.metrics}} - - {{this}} -{{/each}} diff --git a/packages/system/0.9.2/data_stream/core/fields/agent.yml b/packages/system/0.9.2/data_stream/core/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/core/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/core/fields/base-fields.yml b/packages/system/0.9.2/data_stream/core/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/core/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/core/fields/ecs.yml b/packages/system/0.9.2/data_stream/core/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.9.2/data_stream/core/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/core/fields/fields.yml b/packages/system/0.9.2/data_stream/core/fields/fields.yml deleted file mode 100644 index dab186321f..0000000000 --- a/packages/system/0.9.2/data_stream/core/fields/fields.yml +++ /dev/null @@ -1,103 +0,0 @@ -- name: system.core - type: group - fields: - - name: id - type: keyword - description: | - CPU Core number. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. diff --git a/packages/system/0.9.2/data_stream/core/manifest.yml b/packages/system/0.9.2/data_stream/core/manifest.yml deleted file mode 100644 index f7e0e5a825..0000000000 --- a/packages/system/0.9.2/data_stream/core/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System core metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: core.metrics - type: text - title: Core Metrics - multi: true - required: true - show_user: true - description: > - How to report core metrics. Can be "percentages" or "ticks" - - default: - - percentages - title: System core metrics - description: Collect System core metrics diff --git a/packages/system/0.9.2/data_stream/cpu/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/cpu/agent/stream/stream.yml.hbs deleted file mode 100644 index cd0de8d3d9..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["cpu"] -cpu.metrics: -{{#each cpu.metrics}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/cpu/fields/agent.yml b/packages/system/0.9.2/data_stream/cpu/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/cpu/fields/base-fields.yml b/packages/system/0.9.2/data_stream/cpu/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/cpu/fields/ecs.yml b/packages/system/0.9.2/data_stream/cpu/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/cpu/fields/fields.yml b/packages/system/0.9.2/data_stream/cpu/fields/fields.yml deleted file mode 100644 index 9efed64c2d..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/fields/fields.yml +++ /dev/null @@ -1,182 +0,0 @@ -- name: system.cpu - type: group - fields: - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. - - name: user.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. - - name: system.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in states other than Idle and IOWait. - - name: user.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in user space. - - name: system.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in kernel space. - - name: nice.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent on low-priority processes. - - name: idle.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent idle. - - name: iowait.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in wait (on disk). - - name: irq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling hardware interrupts. - - name: softirq.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent servicing and handling software interrupts. - - name: steal.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in user space. - - name: system.ticks - type: long - description: | - The amount of CPU time spent in kernel space. - - name: nice.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent on low-priority processes. - - name: idle.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent idle. - - name: iowait.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in wait (on disk). - - name: irq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling hardware interrupts. - - name: softirq.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent servicing and handling software interrupts. - - name: steal.ticks - type: long - metric_type: counter - description: | - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/0.9.2/data_stream/cpu/manifest.yml b/packages/system/0.9.2/data_stream/cpu/manifest.yml deleted file mode 100644 index 0388136d11..0000000000 --- a/packages/system/0.9.2/data_stream/cpu/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: System cpu metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: cpu.metrics - type: text - title: Cpu Metrics - multi: true - required: true - show_user: true - description: > - How to report CPU metrics. Can be "percentages", "normalized_percentages", or "ticks" - - default: - - percentages - - normalized_percentages - title: System cpu metrics - description: Collect System cpu metrics diff --git a/packages/system/0.9.2/data_stream/diskio/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/diskio/agent/stream/stream.yml.hbs deleted file mode 100644 index 689369ee25..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["diskio"] -diskio.include_devices: -{{#each diskio.include_devices}} - - {{this}} -{{/each}} -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/diskio/fields/agent.yml b/packages/system/0.9.2/data_stream/diskio/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/diskio/fields/base-fields.yml b/packages/system/0.9.2/data_stream/diskio/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/diskio/fields/ecs.yml b/packages/system/0.9.2/data_stream/diskio/fields/ecs.yml deleted file mode 100644 index 9a7eeefc56..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/fields/ecs.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/diskio/fields/fields.yml b/packages/system/0.9.2/data_stream/diskio/fields/fields.yml deleted file mode 100644 index 01a5762c60..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: system.diskio - type: group - fields: - - name: name - type: keyword - description: | - The disk name. - - name: serial_number - type: keyword - description: | - The disk's serial number. This may not be provided by all operating systems. - - name: read.count - type: long - metric_type: counter - description: | - The total number of reads completed successfully. - - name: write.count - type: long - metric_type: counter - description: | - The total number of writes completed successfully. - - name: read.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. - - name: write.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. - - name: read.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all reads. - - name: write.time - type: long - metric_type: counter - description: | - The total number of milliseconds spent by all writes. - - name: io.time - type: long - metric_type: counter - description: | - The total number of of milliseconds spent doing I/Os. - - name: iostat.read.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of read requests merged per second that were queued to the device. - - name: iostat.write.request.merges_per_sec - type: float - metric_type: gauge - description: | - The number of write requests merged per second that were queued to the device. - - name: iostat.read.request.per_sec - type: float - metric_type: gauge - description: | - The number of read requests that were issued to the device per second - - name: iostat.write.request.per_sec - type: float - metric_type: gauge - description: | - The number of write requests that were issued to the device per second - - name: iostat.read.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes read from the device per second. - - name: iostat.read.await - type: float - metric_type: gauge - description: | - The average time spent for read requests issued to the device to be served. - - name: iostat.write.per_sec.bytes - type: float - format: bytes - metric_type: gauge - description: | - The number of Bytes write from the device per second. - - name: iostat.write.await - type: float - metric_type: gauge - description: | - The average time spent for write requests issued to the device to be served. - - name: iostat.request.avg_size - type: float - format: bytes - unit: byte - metric_type: gauge - description: | - The average size (in bytes) of the requests that were issued to the device. - - name: iostat.queue.avg_size - type: float - unit: byte - metric_type: gauge - description: | - The average queue length of the requests that were issued to the device. - - name: iostat.await - type: float - metric_type: gauge - description: | - The average time spent for requests issued to the device to be served. - - name: iostat.service_time - type: float - unit: ms - metric_type: gauge - description: | - The average service time (in milliseconds) for I/O requests that were issued to the device. - - name: iostat.busy - type: float - metric_type: gauge - description: | - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/0.9.2/data_stream/diskio/manifest.yml b/packages/system/0.9.2/data_stream/diskio/manifest.yml deleted file mode 100644 index 320f708bef..0000000000 --- a/packages/system/0.9.2/data_stream/diskio/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System diskio metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: diskio.include_devices - type: text - title: Include Devices - multi: true - required: false - show_user: true - description: > - Provide a specific list of devices to monitor. By default, all devices are monitored. - - title: System diskio metrics - description: Collect System diskio metrics diff --git a/packages/system/0.9.2/data_stream/filesystem/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/filesystem/agent/stream/stream.yml.hbs deleted file mode 100644 index d21fbd9919..0000000000 --- a/packages/system/0.9.2/data_stream/filesystem/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["filesystem"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.9.2/data_stream/filesystem/fields/agent.yml b/packages/system/0.9.2/data_stream/filesystem/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/filesystem/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/filesystem/fields/base-fields.yml b/packages/system/0.9.2/data_stream/filesystem/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/filesystem/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/filesystem/fields/fields.yml b/packages/system/0.9.2/data_stream/filesystem/fields/fields.yml deleted file mode 100644 index d7b44199a8..0000000000 --- a/packages/system/0.9.2/data_stream/filesystem/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: system.filesystem - type: group - fields: - - name: available - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available to an unprivileged user in bytes. - - name: device_name - type: keyword - description: | - The disk name. For example: `/dev/disk1` - - name: type - type: keyword - description: | - The disk type. For example: `ext4` - - name: mount_point - type: keyword - description: | - The mounting point. For example: `/` - - name: files - type: long - metric_type: gauge - description: | - The total number of file nodes in the file system. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The disk space available in bytes. - - name: free_files - type: long - metric_type: gauge - description: | - The number of free file nodes in the file system. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total disk space in bytes. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The used disk space in bytes. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used disk space. diff --git a/packages/system/0.9.2/data_stream/filesystem/manifest.yml b/packages/system/0.9.2/data_stream/filesystem/manifest.yml deleted file mode 100644 index 2cc3f159a7..0000000000 --- a/packages/system/0.9.2/data_stream/filesystem/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System filesystem metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System filesystem metrics - description: Collect System filesystem metrics diff --git a/packages/system/0.9.2/data_stream/fsstat/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/fsstat/agent/stream/stream.yml.hbs deleted file mode 100644 index fc5ebe911d..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["fsstat"] -period: {{period}} -processors: {{processors}} diff --git a/packages/system/0.9.2/data_stream/fsstat/fields/agent.yml b/packages/system/0.9.2/data_stream/fsstat/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/fsstat/fields/base-fields.yml b/packages/system/0.9.2/data_stream/fsstat/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/fsstat/fields/ecs.yml b/packages/system/0.9.2/data_stream/fsstat/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/fsstat/fields/fields.yml b/packages/system/0.9.2/data_stream/fsstat/fields/fields.yml deleted file mode 100644 index aab998a85d..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.fsstat - type: group - fields: - - name: count - type: long - metric_type: gauge - description: Number of file systems found. - - name: total_files - type: long - metric_type: gauge - description: Total number of files. - - name: total_size - type: group - format: bytes - unit: byte - metric_type: gauge - fields: - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total free space. - - name: used - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total used space. - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total space (used plus free). diff --git a/packages/system/0.9.2/data_stream/fsstat/manifest.yml b/packages/system/0.9.2/data_stream/fsstat/manifest.yml deleted file mode 100644 index 8e63d20df1..0000000000 --- a/packages/system/0.9.2/data_stream/fsstat/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: System fsstat metrics -release: experimental -type: metrics -streams: - - input: system/metrics - enabled: true - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 1m - - name: processors - type: yaml - title: Processors - multi: false - required: true - show_user: true - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata. - - default: | - - drop_event.when.regexp: - system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - title: System fsstat metrics - description: Collect System fsstat metrics diff --git a/packages/system/0.9.2/data_stream/load/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/load/agent/stream/stream.yml.hbs deleted file mode 100644 index b8415e9100..0000000000 --- a/packages/system/0.9.2/data_stream/load/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["load"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/load/fields/agent.yml b/packages/system/0.9.2/data_stream/load/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/load/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/load/fields/base-fields.yml b/packages/system/0.9.2/data_stream/load/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/load/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/load/fields/ecs.yml b/packages/system/0.9.2/data_stream/load/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.9.2/data_stream/load/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/load/fields/fields.yml b/packages/system/0.9.2/data_stream/load/fields/fields.yml deleted file mode 100644 index ae0130faef..0000000000 --- a/packages/system/0.9.2/data_stream/load/fields/fields.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: system.load - type: group - fields: - - name: "1" - type: scaled_float - metric_type: gauge - description: | - Load average for the last minute. - - name: "5" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 5 minutes. - - name: "15" - type: scaled_float - metric_type: gauge - description: | - Load average for the last 15 minutes. - - name: norm.1 - type: scaled_float - metric_type: gauge - description: | - Load for the last minute divided by the number of cores. - - name: norm.5 - type: scaled_float - metric_type: gauge - description: | - Load for the last 5 minutes divided by the number of cores. - - name: norm.15 - type: scaled_float - metric_type: gauge - description: | - Load for the last 15 minutes divided by the number of cores. - - name: cores - type: long - metric_type: gauge - description: | - The number of CPU cores present on the host. diff --git a/packages/system/0.9.2/data_stream/load/manifest.yml b/packages/system/0.9.2/data_stream/load/manifest.yml deleted file mode 100644 index 486e57b779..0000000000 --- a/packages/system/0.9.2/data_stream/load/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System load metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System load metrics - description: Collect System load metrics diff --git a/packages/system/0.9.2/data_stream/memory/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100644 index 0d49de061f..0000000000 --- a/packages/system/0.9.2/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["memory"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/memory/fields/agent.yml b/packages/system/0.9.2/data_stream/memory/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/memory/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/memory/fields/base-fields.yml b/packages/system/0.9.2/data_stream/memory/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/memory/fields/ecs.yml b/packages/system/0.9.2/data_stream/memory/fields/ecs.yml deleted file mode 100644 index e76a78fa1d..0000000000 --- a/packages/system/0.9.2/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/memory/fields/fields.yml b/packages/system/0.9.2/data_stream/memory/fields/fields.yml deleted file mode 100644 index 55488d61eb..0000000000 --- a/packages/system/0.9.2/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: system.memory - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used memory. - - name: actual - type: group - fields: - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of actual used memory. - - name: swap - type: group - fields: - - name: total - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total swap memory. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Used swap memory. - - name: free - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Available swap memory. - - name: out.pages - type: long - metric_type: counter - description: count of pages swapped out - - name: in.pages - type: long - metric_type: gauge - description: count of pages swapped in - - name: readahead.pages - type: long - metric_type: counter - description: swap readahead pages - - name: readahead.cached - type: long - description: swap readahead cache hits - - name: used.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of used swap memory. - - name: page_stats - type: group - fields: - - name: pgscan_kswapd.pages - type: long - format: number - metric_type: counter - description: pages scanned by kswapd - - name: pgscan_direct.pages - type: long - format: number - metric_type: counter - description: pages scanned directly - - name: pgfree.pages - type: long - format: number - metric_type: counter - description: pages freed by the system - - name: pgsteal_kswapd.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed by kswapd - - name: pgsteal_direct.pages - type: long - format: number - metric_type: counter - description: number of pages reclaimed directly - - name: direct_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: kswapd_efficiency.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. - - name: hugepages - type: group - fields: - - name: total - type: long - format: number - metric_type: gauge - description: | - Number of huge pages in the pool. - - name: used.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory used in allocated huge pages. - - name: used.pct - type: long - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of huge pages used. - - name: free - type: long - format: number - metric_type: gauge - description: | - Number of available huge pages in the pool. - - name: reserved - type: long - format: number - metric_type: gauge - description: | - Number of reserved but not allocated huge pages in the pool. - - name: surplus - type: long - format: number - metric_type: gauge - description: | - Number of overcommited huge pages. - - name: default_size - type: long - format: bytes - metric_type: gauge - description: | - Default size for huge pages. - - name: swap.out - type: group - fields: - - name: pages - type: long - metric_type: gauge - description: pages swapped out - - name: fallback - type: long - metric_type: gauge - description: Count of huge pages that must be split before swapout diff --git a/packages/system/0.9.2/data_stream/memory/manifest.yml b/packages/system/0.9.2/data_stream/memory/manifest.yml deleted file mode 100644 index aeb17b0bd0..0000000000 --- a/packages/system/0.9.2/data_stream/memory/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System memory metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System memory metrics - description: Collect System memory metrics diff --git a/packages/system/0.9.2/data_stream/network/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/network/agent/stream/stream.yml.hbs deleted file mode 100644 index a3aeb928ae..0000000000 --- a/packages/system/0.9.2/data_stream/network/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["network"] -period: {{period}} -network.interfaces: -{{#each network.interfaces}} - - {{this}} -{{/each}} diff --git a/packages/system/0.9.2/data_stream/network/fields/agent.yml b/packages/system/0.9.2/data_stream/network/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/network/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/network/fields/base-fields.yml b/packages/system/0.9.2/data_stream/network/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/network/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/network/fields/ecs.yml b/packages/system/0.9.2/data_stream/network/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.9.2/data_stream/network/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.9.2/data_stream/network/fields/fields.yml b/packages/system/0.9.2/data_stream/network/fields/fields.yml deleted file mode 100644 index a309d88ba0..0000000000 --- a/packages/system/0.9.2/data_stream/network/fields/fields.yml +++ /dev/null @@ -1,77 +0,0 @@ -- name: system.network - type: group - fields: - - name: name - type: keyword - description: | - The network interface name. - - name: out.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes sent. - - name: in.bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received. - - name: out.packets - type: long - metric_type: counter - description: | - The number of packets sent. - - name: in.packets - type: long - metric_type: counter - description: | - The number or packets received. - - name: in.errors - type: long - metric_type: counter - description: | - The number of errors while receiving. - - name: out.errors - type: long - metric_type: counter - description: | - The number of errors while sending. - - name: in.dropped - type: long - metric_type: counter - description: | - The number of incoming packets that were dropped. - - name: out.dropped - type: long - metric_type: counter - description: | - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/0.9.2/data_stream/network/manifest.yml b/packages/system/0.9.2/data_stream/network/manifest.yml deleted file mode 100644 index b9878b3e64..0000000000 --- a/packages/system/0.9.2/data_stream/network/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System network metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: network.interfaces - type: text - title: Interfaces - multi: true - required: false - show_user: true - description: > - List of interfaces to monitor. Will monitor all by default. - - title: System network metrics - description: Collect System network metrics diff --git a/packages/system/0.9.2/data_stream/process/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/process/agent/stream/stream.yml.hbs deleted file mode 100644 index c28d9dd78a..0000000000 --- a/packages/system/0.9.2/data_stream/process/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -metricsets: ["process"] -period: {{period}} -process.include_top_n.by_cpu: {{process.include_top_n.by_cpu}} -process.include_top_n.by_memory: {{process.include_top_n.by_memory}} -process.cmdline.cache.enabled: {{process.cmdline.cache.enabled}} -process.cgroups.enabled: {{process.cgroups.enabled}} -process.include_cpu_ticks: {{process.include_cpu_ticks}} -{{#if process.env.whitelist}} -{{#each process.env.whitelist}} - - {{this}} -{{/each}} -{{/if}} -processes: -{{#each processes}} - - {{this}} -{{/each}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/process/fields/agent.yml b/packages/system/0.9.2/data_stream/process/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/process/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/process/fields/base-fields.yml b/packages/system/0.9.2/data_stream/process/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/process/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/process/fields/ecs.yml b/packages/system/0.9.2/data_stream/process/fields/ecs.yml deleted file mode 100644 index 7e409c1793..0000000000 --- a/packages/system/0.9.2/data_stream/process/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pgid - level: extended - type: long - format: string - description: Identifier of the group of processes the process belongs to. - - name: pid - level: core - type: long - format: string - description: Process id. - - name: ppid - level: extended - type: long - format: string - description: Parent process' pid. - - name: working_directory - level: extended - type: keyword - description: The working directory of the process. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: user - title: User - group: 2 - type: group - fields: - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: ip - level: core - type: ip - description: Host ip address. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac address. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.full - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, including the version or code name. - example: Mac OS Mojave - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: Type of host. diff --git a/packages/system/0.9.2/data_stream/process/fields/fields.yml b/packages/system/0.9.2/data_stream/process/fields/fields.yml deleted file mode 100644 index 4dc7b1aab2..0000000000 --- a/packages/system/0.9.2/data_stream/process/fields/fields.yml +++ /dev/null @@ -1,434 +0,0 @@ -- name: system.process - type: group - fields: - - name: state - type: keyword - description: | - The process state. For example: "running". - - name: cmdline - type: keyword - description: | - The full command-line used to start the process, including the arguments separated by space. - ignore_above: 2048 - - name: env - type: object - description: | - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. - - name: cpu - type: group - fields: - - name: user.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in user space. - - name: total.value - type: long - metric_type: counter - description: | - The value of CPU usage since starting the process. - - name: total.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. - - name: total.norm.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. - - name: system.ticks - type: long - metric_type: counter - description: | - The amount of CPU time the process spent in kernel space. - - name: total.ticks - type: long - metric_type: counter - description: | - The total CPU time spent by the process. - - name: start_time - type: date - description: | - The time when the process was started. - - name: memory - type: group - fields: - - name: size - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. - - name: rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. - - name: rss.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - The percentage of memory the process occupied in main memory (RAM). - - name: share - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The shared memory the process uses. - - name: fd - type: group - fields: - - name: open - type: long - metric_type: gauge - description: The number of file descriptors open by the process. - - name: limit.soft - type: long - metric_type: gauge - description: | - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. - - name: limit.hard - type: long - metric_type: gauge - description: | - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. - - name: cgroup - type: group - fields: - - name: id - type: keyword - description: | - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. - - name: path - type: keyword - description: | - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. - - name: cpu - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: cfs.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. - - name: cfs.quota.us - type: long - unit: micros - description: | - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). - - name: cfs.shares - type: long - description: | - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. - - name: rt.period.us - type: long - unit: micros - description: | - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. - - name: rt.runtime.us - type: long - unit: micros - description: | - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. - - name: stats.periods - type: long - metric_type: counter - description: | - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. - - name: stats.throttled.periods - type: long - metric_type: counter - description: | - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). - - name: stats.throttled.ns - type: long - metric_type: counter - unit: nanos - description: | - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. - - name: cpuacct - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: total.ns - type: long - metric_type: counter - unit: nanos - description: | - Total CPU time in nanoseconds consumed by all tasks in the cgroup. - - name: stats.user.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user mode. - - name: stats.system.ns - type: long - metric_type: counter - unit: nanos - description: CPU time consumed by tasks in user (kernel) mode. - - name: percpu - type: object - description: | - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. - - name: memory - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystem's mountpoint. - - name: mem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage by processes in the cgroup (in bytes). - - name: mem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used by processes in the cgroup (in bytes). - - name: mem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. - - name: mem.failures - type: long - description: | - The number of times that the memory limit (mem.limit.bytes) was reached. - - name: memsw.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). - - name: memsw.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory and swap space used by processes in the cgroup (in bytes). - - name: memsw.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. - - name: memsw.failures - type: long - unit: byte - metric_type: gauge - description: | - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. - - name: kmem.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total kernel memory usage by processes in the cgroup (in bytes). - - name: kmem.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum kernel memory used by processes in the cgroup (in bytes). - - name: kmem.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of kernel memory that tasks in the cgroup are allowed to use. - - name: kmem.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem.limit.bytes) was reached. - - name: kmem_tcp.usage.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage for TCP buffers in bytes. - - name: kmem_tcp.usage.max.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum memory used for TCP buffers by processes in the cgroup (in bytes). - - name: kmem_tcp.limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. - - name: kmem_tcp.failures - type: long - metric_type: counter - description: | - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. - - name: stats.active_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. - - name: stats.active_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: File-backed memory on active LRU list, in bytes. - - name: stats.cache.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Page cache, including tmpfs (shmem), in bytes. - - name: stats.hierarchical_memory_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.hierarchical_memsw_limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. - - name: stats.inactive_anon.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes - - name: stats.inactive_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - File-backed memory on inactive LRU list, in bytes. - - name: stats.mapped_file.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. - - name: stats.page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a page fault. - - name: stats.major_page_faults - type: long - metric_type: counter - description: | - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. - - name: stats.pages_in - type: long - metric_type: counter - description: | - Number of pages paged into memory. This is a counter. - - name: stats.pages_out - type: long - metric_type: counter - description: | - Number of pages paged out of memory. This is a counter. - - name: stats.rss.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. - - name: stats.rss_huge.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Number of bytes of anonymous transparent hugepages. - - name: stats.swap.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Swap usage, in bytes. - - name: stats.unevictable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Memory that cannot be reclaimed, in bytes. - - name: blkio - type: group - fields: - - name: id - type: keyword - description: ID of the cgroup. - - name: path - type: keyword - description: | - Path to the cgroup relative to the cgroup subsystems mountpoint. - - name: total.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total number of bytes transferred to and from all block devices by processes in the cgroup. - - name: total.ios - type: long - metric_type: counter - description: | - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. diff --git a/packages/system/0.9.2/data_stream/process/manifest.yml b/packages/system/0.9.2/data_stream/process/manifest.yml deleted file mode 100644 index fd982eb931..0000000000 --- a/packages/system/0.9.2/data_stream/process/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -title: System process metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - - name: process.include_top_n.by_cpu - type: integer - title: Process Include Top N By Cpu - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by CPU usage. - - - name: process.include_top_n.by_memory - type: integer - title: Process Include Top N By Memory - multi: false - required: true - show_user: true - default: 5 - description: > - Include the top N processes by memory usage. - - - name: process.cmdline.cache.enabled - type: bool - title: Enable cmdline cache - multi: false - required: false - show_user: true - default: true - description: > - If false, cmdline of a process is not cached. - - - name: process.cgroups.enabled - type: bool - title: Enable cgroup reporting - multi: false - required: false - show_user: true - default: false - description: > - Enable collection of cgroup metrics from processes on Linux. - - - name: process.env.whitelist - type: text - title: Env whitelist - multi: true - required: false - show_user: true - description: > - A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty. - - - name: process.include_cpu_ticks - type: bool - title: Include CPU Ticks - multi: false - required: false - show_user: true - default: false - description: > - Include the cumulative CPU tick values with the process metrics. - - - name: processes - type: text - title: Processes - multi: true - required: true - show_user: true - description: > - A glob to match reported processes. By default all processes are reported. - - default: - - .* - title: System process metrics - description: Collect System process metrics diff --git a/packages/system/0.9.2/data_stream/process_summary/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/process_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index 9c7cfe4dc8..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["process_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/process_summary/fields/agent.yml b/packages/system/0.9.2/data_stream/process_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/process_summary/fields/base-fields.yml b/packages/system/0.9.2/data_stream/process_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/process_summary/fields/ecs.yml b/packages/system/0.9.2/data_stream/process_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.9.2/data_stream/process_summary/fields/fields.yml b/packages/system/0.9.2/data_stream/process_summary/fields/fields.yml deleted file mode 100644 index bc9254a2ae..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: system.process.summary - title: Process Summary - type: group - fields: - - name: total - type: long - metric_type: gauge - description: | - Total number of processes on this host. - - name: running - type: long - metric_type: gauge - description: | - Number of running processes on this host. - - name: idle - type: long - metric_type: gauge - description: | - Number of idle processes on this host. - - name: sleeping - type: long - metric_type: gauge - description: | - Number of sleeping processes on this host. - - name: stopped - type: long - metric_type: gauge - description: | - Number of stopped processes on this host. - - name: zombie - type: long - metric_type: gauge - description: | - Number of zombie processes on this host. - - name: dead - type: long - metric_type: gauge - description: | - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. - - name: unknown - type: long - metric_type: gauge - description: | - Number of processes for which the state couldn't be retrieved or is unknown. diff --git a/packages/system/0.9.2/data_stream/process_summary/manifest.yml b/packages/system/0.9.2/data_stream/process_summary/manifest.yml deleted file mode 100644 index cd89d30b94..0000000000 --- a/packages/system/0.9.2/data_stream/process_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System process_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System process_summary metrics - description: Collect System process_summary metrics diff --git a/packages/system/0.9.2/data_stream/socket_summary/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/socket_summary/agent/stream/stream.yml.hbs deleted file mode 100644 index bbc8e63f4a..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["socket_summary"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/socket_summary/fields/agent.yml b/packages/system/0.9.2/data_stream/socket_summary/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/socket_summary/fields/base-fields.yml b/packages/system/0.9.2/data_stream/socket_summary/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/socket_summary/fields/ecs.yml b/packages/system/0.9.2/data_stream/socket_summary/fields/ecs.yml deleted file mode 100644 index 9f3d04118b..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: group - title: Group - group: 2 - type: group - fields: - - name: id - level: extended - type: keyword - description: Unique identifier for the group on the system/platform. - ignore_above: 1024 - - name: name - level: extended - type: keyword - description: Name of the group. - ignore_above: 1024 -- name: host - title: Host - group: 2 - type: group - fields: - - name: hostname - level: core - type: keyword - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- name: source - title: Source - group: 2 - type: group - fields: - - name: geo.city_name - level: core - type: keyword - description: City name. - ignore_above: 1024 - - name: geo.continent_name - level: core - type: keyword - description: Name of the continent. - ignore_above: 1024 - - name: geo.country_iso_code - level: core - type: keyword - description: Country ISO code. - ignore_above: 1024 - - name: geo.location - level: core - type: geo_point - description: Longitude and latitude. - - name: geo.region_iso_code - level: core - type: keyword - description: Region ISO code. - ignore_above: 1024 - - name: geo.region_name - level: core - type: keyword - description: Region name. - ignore_above: 1024 - - name: ip - level: core - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - level: core - type: long - format: string - description: Port of the source. -- name: user - title: User - group: 2 - type: group - fields: - - name: id - level: core - type: keyword - description: Unique identifier of the user. - ignore_above: 1024 - - name: name - level: core - type: keyword - description: Short name or login of the user. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false diff --git a/packages/system/0.9.2/data_stream/socket_summary/fields/fields.yml b/packages/system/0.9.2/data_stream/socket_summary/fields/fields.yml deleted file mode 100644 index fca58be0c8..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: system.socket.summary - title: Socket summary - type: group - fields: - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open connections - - name: listening - type: integer - metric_type: gauge - description: | - All listening ports - - name: tcp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: orphan - type: integer - metric_type: gauge - description: | - A count of all orphaned tcp sockets. Only available on Linux. - - name: count - type: integer - metric_type: gauge - description: | - All open TCP connections - - name: listening - type: integer - metric_type: gauge - description: | - All TCP listening ports - - name: established - type: integer - metric_type: gauge - description: | - Number of established TCP connections - - name: close_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _close_wait_ state - - name: time_wait - type: integer - metric_type: gauge - description: | - Number of TCP connections in _time_wait_ state - - name: syn_sent - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_sent_ state - - name: syn_recv - type: integer - metric_type: gauge - description: | - Number of TCP connections in _syn_recv_ state - - name: fin_wait1 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait1_ state - - name: fin_wait2 - type: integer - metric_type: gauge - description: | - Number of TCP connections in _fin_wait2_ state - - name: last_ack - type: integer - metric_type: gauge - description: | - Number of TCP connections in _last_ack_ state - - name: closing - type: integer - metric_type: gauge - description: | - Number of TCP connections in _closing_ state - - name: udp - type: group - fields: - - name: memory - type: integer - format: bytes - unit: byte - metric_type: gauge - description: "Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. \n" - - name: all - type: group - fields: - - name: count - type: integer - metric_type: gauge - description: | - All open UDP connections diff --git a/packages/system/0.9.2/data_stream/socket_summary/manifest.yml b/packages/system/0.9.2/data_stream/socket_summary/manifest.yml deleted file mode 100644 index 119109fe70..0000000000 --- a/packages/system/0.9.2/data_stream/socket_summary/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System socket_summary metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System socket_summary metrics - description: Collect System socket_summary metrics diff --git a/packages/system/0.9.2/data_stream/syslog/agent/stream/log.yml.hbs b/packages/system/0.9.2/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100644 index 58c96859c0..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -multiline: - pattern: "^\\s" - match: after -processors: - - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.5.0 \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.json b/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.json deleted file mode 100644 index 0c614b8a95..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Syslog messages.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}", - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}", - "%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYMULTILINE:system.syslog.message}" - ], - "pattern_definitions" : { - "GREEDYMULTILINE" : "(.|\n)*" - }, - "ignore_missing": true - } - }, - { - "remove": { - "field": "message" - } - }, - { - "rename": { - "field": "system.syslog.message", - "target_field": "message", - "ignore_missing": true - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "system.syslog.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss", - "MMM d HH:mm:ss", - "ISO8601" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "system.syslog.timestamp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100644 index 0385fc138f..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -description: Pipeline for parsing Syslog messages. -processors: -- grok: - field: message - patterns: - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - - '%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}' - - '%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: - %{GREEDYMULTILINE:system.syslog.message}' - pattern_definitions: - GREEDYMULTILINE: |- - (.| - )* - ignore_missing: true -- remove: - field: message -- rename: - field: system.syslog.message - target_field: message - ignore_missing: true -- date: - if: ctx.event.timezone == null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- date: - if: ctx.event.timezone != null - field: system.syslog.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - timezone: '{{ event.timezone }}' - on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' -- remove: - field: system.syslog.timestamp -- set: - field: event.type - value: event -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/system/0.9.2/data_stream/syslog/fields/agent.yml b/packages/system/0.9.2/data_stream/syslog/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/syslog/fields/base-fields.yml b/packages/system/0.9.2/data_stream/syslog/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/syslog/fields/ecs.yml b/packages/system/0.9.2/data_stream/syslog/fields/ecs.yml deleted file mode 100644 index 6177e5856f..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,97 +0,0 @@ -- name: '@timestamp' - level: core - required: true - type: date - description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. -- name: message - level: core - type: text - description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. -- name: process - title: Process - group: 2 - type: group - fields: - - name: name - level: extended - type: keyword - description: |- - Process name. - Sometimes called program name or similar. - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: pid - level: core - type: long - format: string - description: Process id. -- description: "Operating system architecture." - ignore_above: 1024 - name: host.architecture - type: keyword -- description: "Name of the directory the group is a member of." - ignore_above: 1024 - name: host.domain - type: keyword -- description: "Hostname of the host." - ignore_above: 1024 - name: host.hostname - type: keyword -- description: "Unique host id." - ignore_above: 1024 - name: host.id - type: keyword -- description: "Host ip addresses." - name: host.ip - type: ip -- description: "Host mac addresses." - ignore_above: 1024 - name: host.mac - type: keyword -- description: "Name of the host." - ignore_above: 1024 - name: host.name - type: keyword -- description: "OS family (such as redhat, debian, freebsd, windows)." - ignore_above: 1024 - name: host.os.family - type: keyword -- description: "Operating system name, including the version or code name." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.full - type: keyword -- description: "Operating system kernel version as a raw string." - ignore_above: 1024 - name: host.os.kernel - type: keyword -- description: "Operating system name, without the version." - ignore_above: 1024 - multi_fields: - - name: text - norms: false - type: text - name: host.os.name - type: keyword -- description: "Operating system platform (such centos, ubuntu, windows)." - ignore_above: 1024 - name: host.os.platform - type: keyword -- description: "Operating system version as a raw string." - ignore_above: 1024 - name: version - type: keyword diff --git a/packages/system/0.9.2/data_stream/syslog/fields/fields.yml b/packages/system/0.9.2/data_stream/syslog/fields/fields.yml deleted file mode 100644 index f933686930..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: system.syslog - type: group diff --git a/packages/system/0.9.2/data_stream/syslog/manifest.yml b/packages/system/0.9.2/data_stream/syslog/manifest.yml deleted file mode 100644 index 1aa1fe9412..0000000000 --- a/packages/system/0.9.2/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,18 +0,0 @@ -title: System syslog logs -release: experimental -type: logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/messages* - - /var/log/syslog* - template_path: log.yml.hbs - title: System syslog logs (log) - description: Collect System syslog logs using log input diff --git a/packages/system/0.9.2/data_stream/uptime/agent/stream/stream.yml.hbs b/packages/system/0.9.2/data_stream/uptime/agent/stream/stream.yml.hbs deleted file mode 100644 index 810f6a1f3e..0000000000 --- a/packages/system/0.9.2/data_stream/uptime/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -metricsets: ["uptime"] -period: {{period}} \ No newline at end of file diff --git a/packages/system/0.9.2/data_stream/uptime/fields/agent.yml b/packages/system/0.9.2/data_stream/uptime/fields/agent.yml deleted file mode 100644 index da4e652c53..0000000000 --- a/packages/system/0.9.2/data_stream/uptime/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/0.9.2/data_stream/uptime/fields/base-fields.yml b/packages/system/0.9.2/data_stream/uptime/fields/base-fields.yml deleted file mode 100644 index 7c798f4534..0000000000 --- a/packages/system/0.9.2/data_stream/uptime/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/system/0.9.2/data_stream/uptime/fields/fields.yml b/packages/system/0.9.2/data_stream/uptime/fields/fields.yml deleted file mode 100644 index 7c61a13721..0000000000 --- a/packages/system/0.9.2/data_stream/uptime/fields/fields.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: system.uptime - type: group - fields: - - name: duration.ms - type: long - format: duration - unit: ms - metric_type: counter - description: | - The OS uptime in milliseconds. diff --git a/packages/system/0.9.2/data_stream/uptime/manifest.yml b/packages/system/0.9.2/data_stream/uptime/manifest.yml deleted file mode 100644 index d1fc1f1579..0000000000 --- a/packages/system/0.9.2/data_stream/uptime/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: System uptime metrics -release: experimental -type: metrics -streams: - - input: system/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: System uptime metrics - description: Collect System uptime metrics diff --git a/packages/system/0.9.2/docs/README.md b/packages/system/0.9.2/docs/README.md deleted file mode 100644 index 33ddb90187..0000000000 --- a/packages/system/0.9.2/docs/README.md +++ /dev/null @@ -1,928 +0,0 @@ -# System Integration - -The System integrations allows you to monitor your servers. Because the System integration -always applies to the local server, the `hosts` config option is not needed. - -The default datasets are `cpu`, `load`, `memory`, `network`, `process`, and -`process_summary`. If _all_ datasets are disabled -and the System module is still enabled, fleet uses the default datasets. - -Note that certain datasets may access `/proc` to gather process information, -and the resulting `ptrace_may_access()` call by the kernel to check for -permissions can be blocked by -[AppArmor and other LSM software](https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace), even though the System module doesn't use `ptrace` directly. - -## Compatibility - -The System datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Metrics - -### Core - -The System `core` dataset provides usage statistics for each CPU core. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.core.id | CPU Core number. | keyword | -| system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.core.idle.ticks | The amount of CPU time spent idle. | long | -| system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.core.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.core.user.ticks | The amount of CPU time spent in user space. | long | - - -### CPU - -The System `cpu` dataset provides CPU statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | -| system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | -| system.cpu.idle.ticks | The amount of CPU time spent idle. | long | -| system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | -| system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | -| system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | -| system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | -| system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | -| system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | -| system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | -| system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | -| system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | -| system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | -| system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | -| system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | -| system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | -| system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | -| system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | -| system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. | scaled_float | -| system.cpu.user.ticks | The amount of CPU time spent in user space. | long | - - -### Disk IO - -The System `diskio` dataset provides disk IO metrics collected from the -operating system. One event is created for each disk mounted on the system. - -This dataset is available on: - -- Linux -- macOS (requires 10.10+) -- Windows -- FreeBSD (amd64) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | -| system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | -| system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | -| system.diskio.iostat.queue.avg_size | The average queue length of the requests that were issued to the device. | float | -| system.diskio.iostat.read.await | The average time spent for read requests issued to the device to be served. | float | -| system.diskio.iostat.read.per_sec.bytes | The number of Bytes read from the device per second. | float | -| system.diskio.iostat.read.request.merges_per_sec | The number of read requests merged per second that were queued to the device. | float | -| system.diskio.iostat.read.request.per_sec | The number of read requests that were issued to the device per second | float | -| system.diskio.iostat.request.avg_size | The average size (in bytes) of the requests that were issued to the device. | float | -| system.diskio.iostat.service_time | The average service time (in milliseconds) for I/O requests that were issued to the device. | float | -| system.diskio.iostat.write.await | The average time spent for write requests issued to the device to be served. | float | -| system.diskio.iostat.write.per_sec.bytes | The number of Bytes write from the device per second. | float | -| system.diskio.iostat.write.request.merges_per_sec | The number of write requests merged per second that were queued to the device. | float | -| system.diskio.iostat.write.request.per_sec | The number of write requests that were issued to the device per second | float | -| system.diskio.name | The disk name. | keyword | -| system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | -| system.diskio.read.count | The total number of reads completed successfully. | long | -| system.diskio.read.time | The total number of milliseconds spent by all reads. | long | -| system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | -| system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | -| system.diskio.write.count | The total number of writes completed successfully. | long | -| system.diskio.write.time | The total number of milliseconds spent by all writes. | long | - - -### Filesystem - -The System `filesystem` dataset provides file system statistics. For each file -system, one document is provided. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | -| system.filesystem.device_name | The disk name. For example: `/dev/disk1` | keyword | -| system.filesystem.files | The total number of file nodes in the file system. | long | -| system.filesystem.free | The disk space available in bytes. | long | -| system.filesystem.free_files | The number of free file nodes in the file system. | long | -| system.filesystem.mount_point | The mounting point. For example: `/` | keyword | -| system.filesystem.total | The total disk space in bytes. | long | -| system.filesystem.type | The disk type. For example: `ext4` | keyword | -| system.filesystem.used.bytes | The used disk space in bytes. | long | -| system.filesystem.used.pct | The percentage of used disk space. | scaled_float | - - -### Fsstat - -The System `fsstat` dataset provides overall file system statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.fsstat.count | Number of file systems found. | long | -| system.fsstat.total_files | Total number of files. | long | -| system.fsstat.total_size.free | Total free space. | long | -| system.fsstat.total_size.total | Total space (used plus free). | long | -| system.fsstat.total_size.used | Total used space. | long | - - -### Load - -The System `load` dataset provides load statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| system.load.1 | Load average for the last minute. | scaled_float | -| system.load.15 | Load average for the last 15 minutes. | scaled_float | -| system.load.5 | Load average for the last 5 minutes. | scaled_float | -| system.load.cores | The number of CPU cores present on the host. | long | -| system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | -| system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | -| system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | - - -### Memory - -The System `memory` dataset provides memory statistics. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- OpenBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip address. | ip | -| host.mac | Host mac address. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | -| system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | -| system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | -| system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | -| system.memory.hugepages.default_size | Default size for huge pages. | long | -| system.memory.hugepages.free | Number of available huge pages in the pool. | long | -| system.memory.hugepages.reserved | Number of reserved but not allocated huge pages in the pool. | long | -| system.memory.hugepages.surplus | Number of overcommited huge pages. | long | -| system.memory.hugepages.swap.out.fallback | Count of huge pages that must be split before swapout | long | -| system.memory.hugepages.swap.out.pages | pages swapped out | long | -| system.memory.hugepages.total | Number of huge pages in the pool. | long | -| system.memory.hugepages.used.bytes | Memory used in allocated huge pages. | long | -| system.memory.hugepages.used.pct | Percentage of huge pages used. | long | -| system.memory.page_stats.direct_efficiency.pct | direct reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.kswapd_efficiency.pct | kswapd reclaim efficiency percentage. A lower percentage indicates the system is struggling to reclaim memory. | scaled_float | -| system.memory.page_stats.pgfree.pages | pages freed by the system | long | -| system.memory.page_stats.pgscan_direct.pages | pages scanned directly | long | -| system.memory.page_stats.pgscan_kswapd.pages | pages scanned by kswapd | long | -| system.memory.page_stats.pgsteal_direct.pages | number of pages reclaimed directly | long | -| system.memory.page_stats.pgsteal_kswapd.pages | number of pages reclaimed by kswapd | long | -| system.memory.swap.free | Available swap memory. | long | -| system.memory.swap.in.pages | count of pages swapped in | long | -| system.memory.swap.out.pages | count of pages swapped out | long | -| system.memory.swap.readahead.cached | swap readahead cache hits | long | -| system.memory.swap.readahead.pages | swap readahead pages | long | -| system.memory.swap.total | Total swap memory. | long | -| system.memory.swap.used.bytes | Used swap memory. | long | -| system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | -| system.memory.total | Total memory. | long | -| system.memory.used.bytes | Used memory. | long | -| system.memory.used.pct | The percentage of used memory. | scaled_float | - - -### Network - -The System `network` dataset provides network IO metrics collected from the -operating system. One event is created for each network interface. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.network.in.bytes | The number of bytes received. | long | -| system.network.in.dropped | The number of incoming packets that were dropped. | long | -| system.network.in.errors | The number of errors while receiving. | long | -| system.network.in.packets | The number or packets received. | long | -| system.network.name | The network interface name. | keyword | -| system.network.out.bytes | The number of bytes sent. | long | -| system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | -| system.network.out.errors | The number of errors while sending. | long | -| system.network.out.packets | The number of packets sent. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process - -The System `process` dataset provides process statistics. One document is -provided for each process. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pgid | Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.working_directory | The working directory of the process. | keyword | -| system.process.cgroup.blkio.id | ID of the cgroup. | keyword | -| system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | -| system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | -| system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | -| system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | -| system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | -| system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | -| system.process.cgroup.cpu.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | -| system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | -| system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | -| system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | -| system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | -| system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | -| system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | -| system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | -| system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | -| system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | -| system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | -| system.process.cgroup.memory.id | ID of the cgroup. | keyword | -| system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | -| system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | -| system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | -| system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | -| system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | -| system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | -| system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | -| system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | -| system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | -| system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | -| system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | -| system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | -| system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | -| system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | -| system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | -| system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | -| system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | -| system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | -| system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | -| system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | -| system.process.cpu.start_time | The time when the process was started. | date | -| system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | -| system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | -| system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | -| system.process.cpu.total.ticks | The total CPU time spent by the process. | long | -| system.process.cpu.total.value | The value of CPU usage since starting the process. | long | -| system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | -| system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | object | -| system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | -| system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | -| system.process.fd.open | The number of file descriptors open by the process. | long | -| system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | -| system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | -| system.process.memory.share | The shared memory the process uses. | long | -| system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | -| system.process.state | The process state. For example: "running". | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Process summary - -The `process_summary` dataset collects high level statistics about the running -processes. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | -| system.process.summary.idle | Number of idle processes on this host. | long | -| system.process.summary.running | Number of running processes on this host. | long | -| system.process.summary.sleeping | Number of sleeping processes on this host. | long | -| system.process.summary.stopped | Number of stopped processes on this host. | long | -| system.process.summary.total | Total number of processes on this host. | long | -| system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | -| system.process.summary.zombie | Number of zombie processes on this host. | long | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Socket summary - -The System `socket_summary` dataset provides the summary of open network -sockets in the host system. - -It collects a summary of metrics with the count of existing TCP and UDP -connections and the count of listening ports. - -This dataset is available on: - -- FreeBSD -- Linux -- macOS -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.pid | Process id. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| system.socket.summary.all.count | All open connections | integer | -| system.socket.summary.all.listening | All listening ports | integer | -| system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | -| system.socket.summary.tcp.all.closing | Number of TCP connections in _closing_ state | integer | -| system.socket.summary.tcp.all.count | All open TCP connections | integer | -| system.socket.summary.tcp.all.established | Number of established TCP connections | integer | -| system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in _fin_wait1_ state | integer | -| system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in _fin_wait2_ state | integer | -| system.socket.summary.tcp.all.last_ack | Number of TCP connections in _last_ack_ state | integer | -| system.socket.summary.tcp.all.listening | All TCP listening ports | integer | -| system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | -| system.socket.summary.tcp.all.syn_recv | Number of TCP connections in _syn_recv_ state | integer | -| system.socket.summary.tcp.all.syn_sent | Number of TCP connections in _syn_sent_ state | integer | -| system.socket.summary.tcp.all.time_wait | Number of TCP connections in _time_wait_ state | integer | -| system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | -| system.socket.summary.udp.all.count | All open UDP connections | integer | -| system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | - - -### Uptime - -The System `uptime` dataset provides the uptime of the host operating system. - -This dataset is available on: - -- Linux -- macOS -- OpenBSD -- FreeBSD -- Windows - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| system.uptime.duration.ms | The OS uptime in milliseconds. | long | - - diff --git a/packages/system/0.9.2/img/kibana-system.png b/packages/system/0.9.2/img/kibana-system.png deleted file mode 100644 index 8741a56624..0000000000 Binary files a/packages/system/0.9.2/img/kibana-system.png and /dev/null differ diff --git a/packages/system/0.9.2/img/metricbeat_system_dashboard.png b/packages/system/0.9.2/img/metricbeat_system_dashboard.png deleted file mode 100644 index 2ff6ad8bd0..0000000000 Binary files a/packages/system/0.9.2/img/metricbeat_system_dashboard.png and /dev/null differ diff --git a/packages/system/0.9.2/img/system.svg b/packages/system/0.9.2/img/system.svg deleted file mode 100644 index 0aba96275e..0000000000 --- a/packages/system/0.9.2/img/system.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.9.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 8814d936cf..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "New users and groups dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] New users and groups", - "version": 1 - }, - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/0.9.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 7c1b819642..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Sudo commands dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Sudo commands", - "version": 1 - }, - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.9.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 34f78d0da6..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "description": "SSH dashboard for the System integration in Logs", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"mapBounds\":{\"bottom_right\":{\"lat\":10.31491928581316,\"lon\":74.53125},\"top_left\":{\"lat\":60.50052541051131,\"lon\":-27.94921875}},\"mapCenter\":[39.774769485295465,23.203125],\"mapCollar\":{\"bottom_right\":{\"lat\":-14.777884999999998,\"lon\":125.771485},\"top_left\":{\"lat\":85.593335,\"lon\":-79.189455},\"zoom\":3},\"mapZoom\":3},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"user.name\",\"source.ip\",\"source.geo.country_iso_code\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] SSH login attempts", - "version": 1 - }, - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "name": "panel_4", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/0.9.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json deleted file mode 100644 index 4dba98af12..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "attributes": { - "description": "Overview of host metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":70},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":70},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"9\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"10\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"10\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"11\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"12\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"13\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"14\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":8,\"x\":0,\"y\":15},\"panelIndex\":\"21\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"22\",\"w\":8,\"x\":8,\"y\":15},\"panelIndex\":\"22\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"23\",\"w\":8,\"x\":24,\"y\":15},\"panelIndex\":\"23\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"25\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"25\",\"panelRefName\":\"panel_18\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"27\",\"w\":24,\"x\":0,\"y\":85},\"panelIndex\":\"27\",\"panelRefName\":\"panel_19\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":85},\"panelIndex\":\"28\",\"panelRefName\":\"panel_20\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":10,\"i\":\"29\",\"w\":8,\"x\":16,\"y\":15},\"panelIndex\":\"29\",\"panelRefName\":\"panel_21\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":5,\"i\":\"30\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"30\",\"panelRefName\":\"panel_22\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Host overview", - "version": 1 - }, - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "references": [ - { - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "system-Navigation", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "name": "panel_22", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json b/packages/system/0.9.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json deleted file mode 100644 index e853fd4613..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-Filebeat-syslog-dashboard.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "Syslog dashboard from the Logs System integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"host.hostname\",\"process.name\",\"message\"],\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":28,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs System] Syslog dashboard", - "version": 1 - }, - "id": "system-Filebeat-syslog-dashboard", - "references": [ - { - "id": "system-Syslog-events-by-hostname", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-Syslog-hostnames-and-processes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-Syslog-system-logs", - "name": "panel_2", - "type": "search" - }, - { - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/dashboard/system-Metricbeat-system-overview.json b/packages/system/0.9.2/kibana/dashboard/system-Metricbeat-system-overview.json deleted file mode 100644 index 286c979eb2..0000000000 --- a/packages/system/0.9.2/kibana/dashboard/system-Metricbeat-system-overview.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "attributes": { - "description": "Overview of system metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":8,\"x\":0,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"12\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0% - 15%\":\"rgb(247,252,245)\",\"15% - 30%\":\"rgb(199,233,192)\",\"30% - 45%\":\"rgb(116,196,118)\",\"45% - 60%\":\"rgb(35,139,69)\"}}},\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":32,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":8,\"x\":24,\"y\":4},\"panelIndex\":\"18\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Metrics System] Overview", - "version": 1 - }, - "id": "system-Metrics-system-overview", - "references": [ - { - "id": "system-Navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/0.9.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index abdd218801..0000000000 --- a/packages/system/0.9.2/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.auth AND system.auth.ssh.event:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.9.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index ae1484339a..0000000000 --- a/packages/system/0.9.2/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.useradd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/search/system-Syslog-system-logs.json b/packages/system/0.9.2/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 6a2ef982d2..0000000000 --- a/packages/system/0.9.2/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:system.syslog\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "id": "system-Syslog-system-logs", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/0.9.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index e64a483853..0000000000 --- a/packages/system/0.9.2/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/system/0.9.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index e05ac92d9b..0000000000 --- a/packages/system/0.9.2/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "columns": [ - "group.name", - "group.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.groupadd:*\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "groupadd logs [Logs System]", - "version": 1 - }, - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 40175102f6..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-089b85d0-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"a87398e0-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"2d533df0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound \",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"533da9b0-2c2d-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Bytes)\",\"type\":\"metrics\"}" - }, - "id": "system-089b85d0-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.9.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8c5d8b0366..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-12667040-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New groups\",\"type\":\"table\"}" - }, - "id": "system-12667040-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json b/packages/system/0.9.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json deleted file mode 100644 index dfaa630e4a..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Swap usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"d17c1e90-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"fc1d3490-4d59-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"0e204240-4d5a-11e7-aee5-fdc812cc3bec\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"cee2fd20-4d59-11e7-aee5-fdc812cc3bec\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"cee2fd21-4d59-11e7-aee5-fdc812cc3bec\",\"label\":\"Swap usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.swap.used.pct\",\"id\":\"cee2fd22-4d59-11e7-aee5-fdc812cc3bec\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Swap usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-19e123b0-4d5a-11e7-aee5-fdc812cc3bec", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json b/packages/system/0.9.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 1c420ec4c8..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-1aae9140-1b93-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Outbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Outbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"a1737470-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Outbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-1aae9140-1b93-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.9.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 2ca5154a30..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Load Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"feefabd0-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\" \"},\"gauge_color_rules\":[{\"id\":\"ffd94880-1b90-11e7-bec4-a5e9ec5cab8b\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"fdcc6180-1b90-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"fdcc6181-1b90-11e7-bec4-a5e9ec5cab8b\",\"label\":\"5m Load\",\"line_width\":1,\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"fdcc6182-1b90-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Load Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-26732e20-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 75186de954..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-2e224660-1b19-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Processes By Memory [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"efb9b660-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"17fcb820-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1dd61070-1b19-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\" \"},\"id\":\"edfceb30-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"edfceb31-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.memory.rss.pct\",\"id\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"edfceb32-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Processes By Memory [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-2e224660-1b19-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json b/packages/system/0.9.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json deleted file mode 100644 index 464f6c729c..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-327417e0-8462-11e7-bab8-bd2f0fb42c54.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Dashboards [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[Syslog](#/dashboard/system-Filebeat-syslog-dashboard) | [Sudo commands](#/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a) | [SSH logins](#/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a) | [New users and groups](#/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab)\"},\"title\":\"Dashboards [Logs System]\",\"type\":\"markdown\"}" - }, - "id": "system-327417e0-8462-11e7-bab8-bd2f0fb42c54", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/0.9.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json deleted file mode 100644 index f155739938..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-341ffe70-f9ce-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH users of failed login attempts [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"scale\":\"linear\"},\"title\":\"SSH users of failed login attempts\",\"type\":\"tagcloud\"}" - }, - "id": "system-341ffe70-f9ce-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json b/packages/system/0.9.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 0ad2f78f65..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-346bb290-fa80-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New groups over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"group.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New groups over time\",\"type\":\"histogram\"}" - }, - "id": "system-346bb290-fa80-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json b/packages/system/0.9.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json deleted file mode 100644 index 89d9b0fae2..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-34f97ee0-1b96-11e7-8ada-3df93aab833e.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"bf525310-1b95-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"125fc4c0-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.7},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"1a5c7240-1b96-11e7-8ada-3df93aab833e\",\"operator\":\"gte\",\"value\":0.85}],\"default_index_pattern\":\"metrics-*\",\"default_timefield\":\"@timestamp\",\"drilldown_url\":\"\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.filesystem.mount_point:\\\\/run* AND -system.filesystem.mount_point:\\\\/sys* AND -system.filesystem.mount_point:\\\\/dev* AND -system.filesystem.mount_point:\\\\/proc* AND -system.filesystem.mount_point:\\\\/var* AND -system.filesystem.mount_point:\\\\/boot\"},\"id\":\"9f7e48a0-1b95-11e7-8ada-3df93aab833e\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f7e48a1-1b95-11e7-8ada-3df93aab833e\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.filesystem.used.pct\",\"id\":\"9f7e48a2-1b95-11e7-8ada-3df93aab833e\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.filesystem.mount_point\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\"},\"title\":\"Disk Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-34f97ee0-1b96-11e7-8ada-3df93aab833e", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json b/packages/system/0.9.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json deleted file mode 100644 index c9e1455d68..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Failed OR system.auth.ssh.event:Invalid\"}}" - }, - "title": "SSH failed login attempts source locations [Logs System]", - "uiStateJSON": "{\"mapCenter\":[17.602139123350838,69.697265625],\"mapZoom\":2}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"SSH failed login attempts source locations\",\"type\":\"tile_map\"}" - }, - "id": "system-3cec3eb0-f9d3-11e6-8a3e-2b904044ea1d", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json b/packages/system/0.9.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json deleted file mode 100644 index 467738abc7..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-3d65d450-a9c3-11e7-af20-67db8aecb295.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Tip [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**TIP:** To select another host, go to the [System Overview](#/dashboard/system-Metrics-system-overview) dashboard and double-click a host name.\"},\"title\":\"Tip [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-3d65d450-a9c3-11e7-af20-67db8aecb295", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json deleted file mode 100644 index cd04472792..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-4d546850-1b15-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Load [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.load\\\"\"},\"id\":\"f6264ad0-1b14-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(115,216,255,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"f62671e0-1b14-11e7-b09e-037021c4f8df\",\"label\":\"1m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.1\",\"id\":\"f62671e1-1b14-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"1c324850-1b15-11e7-b09e-037021c4f8df\",\"label\":\"5m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.5\",\"id\":\"1c324851-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,98,177,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"3287e740-1b15-11e7-b09e-037021c4f8df\",\"label\":\"15m\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"system.load.15\",\"id\":\"32880e50-1b15-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"System Load [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4d546850-1b15-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 4bdb84e270..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk IO (Bytes) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.diskio\\\"\"},\"id\":\"d3c67db0-1b1a-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(22,165,165,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"d3c67db1-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"reads\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.read.bytes\",\"id\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"d3c67db2-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f55b9910-1b1a-11e7-b09e-037021c4f8df\",\"id\":\"dcbbb100-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(251,158,0,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"144124d0-1b1b-11e7-b09e-037021c4f8df\",\"label\":\"writes\",\"line_width\":1,\"metrics\":[{\"field\":\"system.diskio.write.bytes\",\"id\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"max\"},{\"field\":\"144124d1-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"144124d4-1b1b-11e7-b09e-037021c4f8df\",\"script\":\"params.rate \\u003e 0 ? params.rate * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"144124d2-1b1b-11e7-b09e-037021c4f8df\",\"id\":\"144124d3-1b1b-11e7-b09e-037021c4f8df\",\"name\":\"rate\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}}/s\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Disk IO (Bytes) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-4e4bb1e0-1b1b-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.9.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index efa1f752dd..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-51164310-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.sudo.error:*\"}}" - }, - "title": "Sudo errors [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.sudo.error\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo errors\",\"type\":\"histogram\"}" - }, - "id": "system-51164310-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.9.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bd07f29ec0..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Inbound Traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"0e346760-1b92-11e7-bec4-a5e9ec5cab8b\"}],\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"0c761590-1b92-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"0c761591-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Inbound Traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"0c761592-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"1d659060-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f2074f70-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"c40e18f0-2c55-11e7-a0ad-277ce466684d\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"37f70440-1b92-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Total Transferred\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"max\"},{\"field\":\"37f72b50-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"37f72b51-1b92-11e7-bec4-a5e9ec5cab8b\",\"id\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"type\":\"positive_only\",\"unit\":\"\"},{\"field\":\"f9da2dd0-1b92-11e7-a416-41f5ccdba2e6\",\"function\":\"overall_sum\",\"id\":\"3e63c2f0-1b92-11e7-bec4-a5e9ec5cab8b\",\"sigma\":\"\",\"type\":\"series_agg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Inbound Traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-522ee670-1b92-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json b/packages/system/0.9.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json deleted file mode 100644 index e5419418c6..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-590a60f0-5d87-11e7-8884-1bb4c3b890e4.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of processes [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Processes\",\"field\":\"process.pid\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of processes\",\"type\":\"metric\"}" - }, - "id": "system-590a60f0-5d87-11e7-8884-1bb4c3b890e4", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json b/packages/system/0.9.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 112d3d6530..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Sudo commands by user [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Sudo commands by user\",\"type\":\"histogram\"}" - }, - "id": "system-5c7af030-fa2a-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/0.9.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index bc04c92dd4..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users over time [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"bottom\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"New users over time\",\"type\":\"histogram\"}" - }, - "id": "system-5dd15c00-fa78-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json b/packages/system/0.9.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json deleted file mode 100644 index 22a26c29d4..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Traffic (Packets) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"lucene\",\"query\":\"-system.network.name:l*\"},\"id\":\"da1046f0-faa0-11e6-86b1-cd7735ff7e23\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"da1046f1-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Inbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.in.packets\",\"id\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"da1046f2-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"field\":\"f41f9280-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"c0da3d80-1b93-11e7-8ada-3df93aab833e\",\"type\":\"positive_only\",\"unit\":\"\"},{\"function\":\"sum\",\"id\":\"ecaad010-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(250,40,255,1)\",\"fill\":\"1\",\"formatter\":\"0.[00]a\",\"id\":\"fbbd5720-faa0-11e6-86b1-cd7735ff7e23\",\"label\":\"Outbound\",\"line_width\":\"0\",\"metrics\":[{\"field\":\"system.network.out.packets\",\"id\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"max\"},{\"field\":\"fbbd7e30-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"id\":\"17e597a0-faa1-11e6-86b1-cd7735ff7e23\",\"script\":\"params.rate != null \\u0026\\u0026 params.rate \\u003e 0 ? params.rate * -1 : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"fbbd7e31-faa0-11e6-86b1-cd7735ff7e23\",\"id\":\"1940bad0-faa1-11e6-86b1-cd7735ff7e23\",\"name\":\"rate\"}]},{\"function\":\"sum\",\"id\":\"fe5fbdc0-2c2c-11e7-be71-3162da85303f\",\"type\":\"series_agg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"value_template\":\"{{value}}/s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Mericbeat: Network Traffic (Packets)\",\"type\":\"metrics\"}" - }, - "id": "system-6b7b9a40-faa1-11e6-86b1-cd7735ff7e23", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json b/packages/system/0.9.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json deleted file mode 100644 index c119c156ea..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-78b74f30-f9cd-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - }, - "title": "SSH login attempts [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.event\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"SSH login attempts\",\"type\":\"histogram\"}" - }, - "id": "system-78b74f30-f9cd-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json b/packages/system/0.9.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index e89f3a3690..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Hosts histogram by CPU usage [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 5%\":\"rgb(247,252,245)\",\"10% - 15%\":\"rgb(116,196,118)\",\"15% - 20%\":\"rgb(35,139,69)\",\"5% - 10%\":\"rgb(199,233,192)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"CPU usage\",\"field\":\"system.cpu.user.pct\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Hosts\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Greens\",\"colorsNumber\":4,\"colorsRange\":[],\"enableHover\":false,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\" \"},\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Hosts histogram by CPU usage [Metrics System]\",\"type\":\"heatmap\"}" - }, - "id": "system-7cdb1330-4d1a-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json b/packages/system/0.9.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json deleted file mode 100644 index 172b24f43c..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Disk Used [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.fsstat\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"51921d10-4d1d-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(251,158,0,1)\",\"id\":\"f26de750-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"fa31d190-4d54-11e7-b5f2-2b7c1895bf32\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32\",\"label\":\"Disk used\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.used\",\"id\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"agg_with\":\"avg\",\"field\":\"system.fsstat.total_size.total\",\"id\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"order\":\"desc\",\"order_by\":\"@timestamp\",\"size\":1,\"type\":\"top_hit\"},{\"id\":\"6304cca0-4d54-11e7-b5f2-2b7c1895bf32\",\"script\":\"params.used/params.total \",\"type\":\"math\",\"variables\":[{\"field\":\"4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32\",\"id\":\"6da10430-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"used\"},{\"field\":\"57c96ee0-4d54-11e7-b5f2-2b7c1895bf32\",\"id\":\"73b8c510-4d54-11e7-b5f2-2b7c1895bf32\",\"name\":\"total\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"type\":\"gauge\"},\"title\":\"Disk used [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-825fdb80-4d1d-11e7-b5f2-2b7c1895bf32", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.9.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index dc7c7ab1d6..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"4ef2c3b0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"e6561ae0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"ec655040-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"4c9e2550-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"4c9e2551-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"CPU Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"},{\"field\":\"system.cpu.system.pct\",\"id\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"field\":\"system.cpu.cores\",\"id\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"type\":\"avg\"},{\"id\":\"587aa510-1b91-11e7-bec4-a5e9ec5cab8b\",\"script\":\"params.n \\u003e 0 ? (params.user+params.system)/params.n : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"4c9e2552-1b91-11e7-bec4-a5e9ec5cab8b\",\"id\":\"5a19af10-1b91-11e7-bec4-a5e9ec5cab8b\",\"name\":\"user\"},{\"field\":\"225c2140-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"32b54f80-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"system\"},{\"field\":\"837a30c0-5fd7-11e7-a63a-a937b7c1a7e1\",\"id\":\"8ba6eef0-5fd7-11e7-a63a-a937b7c1a7e1\",\"name\":\"n\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"CPU Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-83e12df0-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json deleted file mode 100644 index ae48f968a3..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-855899e0-1b1c-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By CPU (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By CPU (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-855899e0-1b1c-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json b/packages/system/0.9.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 172bcb8f2c..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-96976150-4d5d-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Packetloss [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6ba9b1f0-4d5d-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"6984af10-4d5d-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"6984af11-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"In Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.dropped\",\"id\":\"6984af12-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ac2e6b30-4d5d-11e7-aa29-87a97a796de6\",\"label\":\"Out Packetloss\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.dropped\",\"id\":\"ac2e6b31-4d5d-11e7-aa29-87a97a796de6\",\"type\":\"max\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Packetloss [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-96976150-4d5d-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.9.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index 66e166e22e..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Incoming traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"44596d40-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"42ceae90-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"42ced5a0-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Incoming traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.in.bytes\",\"id\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"42ced5a1-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Incoming traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-99381c80-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-Navigation.json b/packages/system/0.9.2/kibana/visualization/system-Navigation.json deleted file mode 100644 index d996678974..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-Navigation.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "System Navigation [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"[System Overview](#/dashboard/system-Metrics-system-overview) | [Host Overview](#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8)\"},\"title\":\"System Navigation [Metrics System]\",\"type\":\"markdown\"}" - }, - "id": "system-Navigation", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-Syslog-events-by-hostname.json b/packages/system/0.9.2/kibana/visualization/system-Syslog-events-by-hostname.json deleted file mode 100644 index 97fdb33425..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-Syslog-events-by-hostname.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog events by hostname [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"Syslog events by hostname\",\"type\":\"histogram\"}" - }, - "id": "system-Syslog-events-by-hostname", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-Syslog-hostnames-and-processes.json b/packages/system/0.9.2/kibana/visualization/system-Syslog-hostnames-and-processes.json deleted file mode 100644 index 3fe992e28b..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-Syslog-hostnames-and-processes.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Syslog hostnames and processes [Logs System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"process.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"shareYAxis\":true},\"title\":\"Syslog hostnames and processes\",\"type\":\"pie\"}" - }, - "id": "system-Syslog-hostnames-and-processes", - "references": [ - { - "id": "system-Syslog-system-logs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 2dd21f0794..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "CPU Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.cpu\\\"\"},\"id\":\"80a04950-1b19-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"80a04951-1b19-11e7-b09e-037021c4f8df\",\"label\":\"user\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.user.pct\",\"id\":\"80a04952-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"993acf30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"system\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.system.pct\",\"id\":\"993acf31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(123,100,255,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"65ca35e0-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"nice\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.nice.pct\",\"id\":\"65ca5cf0-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(226,115,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"741b5f20-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"irq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.irq.pct\",\"id\":\"741b5f21-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(176,188,0,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"2efc5d40-1b1a-11e7-b09e-037021c4f8df\",\"label\":\"softirq\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.softirq.pct\",\"id\":\"2efc5d41-1b1a-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(15,20,25,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"ae644a30-1b19-11e7-b09e-037021c4f8df\",\"label\":\"iowait\",\"line_width\":1,\"metrics\":[{\"field\":\"system.cpu.iowait.pct\",\"id\":\"ae644a31-1b19-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"CPU Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-ab2d1e90-1b1a-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 50aa47d6d7..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-bfa5e400-1b16-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"32f46f40-1b16-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"4ff61fd0-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Used\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"4ff61fd1-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"753a6080-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Cache\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"field\":\"system.memory.used.bytes\",\"id\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"},{\"id\":\"869cc160-1b16-11e7-b09e-037021c4f8df\",\"script\":\"params.actual != null \\u0026\\u0026 params.used != null ? params.used - params.actual : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"753a6081-1b16-11e7-b09e-037021c4f8df\",\"id\":\"890f9620-1b16-11e7-b09e-037021c4f8df\",\"name\":\"actual\"},{\"field\":\"7c9d3f00-1b16-11e7-b09e-037021c4f8df\",\"id\":\"8f3ab7f0-1b16-11e7-b09e-037021c4f8df\",\"name\":\"used\"}]}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"1\",\"formatter\":\"bytes\",\"id\":\"32f46f41-1b16-11e7-b09e-037021c4f8df\",\"label\":\"Free\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.free\",\"id\":\"32f46f42-1b16-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"stacked\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\"},\"title\":\"Memory Usage [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-bfa5e400-1b16-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json b/packages/system/0.9.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json deleted file mode 100644 index bbdd02df29..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interfaces by Outgoing traffic [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"9db20be0-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.network\\\"\"},\"id\":\"9cdba910-4d60-11e7-9a4c-ed99bbcaa42b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"9cdba911-4d60-11e7-9a4c-ed99bbcaa42b\",\"label\":\"Interfaces by Outgoing traffic\",\"line_width\":1,\"metrics\":[{\"field\":\"system.network.out.bytes\",\"id\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"system.network.name\",\"terms_order_by\":\"9cdba912-4d60-11e7-9a4c-ed99bbcaa42b\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Interfaces by Outgoing traffic [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-c5e3cf90-4d60-11e7-9a4c-ed99bbcaa42b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json b/packages/system/0.9.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json deleted file mode 100644 index a781526538..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Number of hosts [Metrics System]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Number of hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"63\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Number of hosts [Metrics System]\",\"type\":\"metric\"}" - }, - "id": "system-c6f2ffd0-4d17-11e7-a196-69b9a7a020a9", - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json b/packages/system/0.9.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json deleted file mode 100644 index 7d3a140c7b..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-d16bb400-f9cc-11e6-8115-a7c18106d86a.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"system.auth.ssh.event:Accepted\"}}" - }, - "title": "Successful SSH logins [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Accepted\":\"#3F6833\",\"Failed\":\"#F9934E\",\"Invalid\":\"#447EBC\",\"password\":\"#BF1B00\",\"publickey\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"system.auth.ssh.method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"times\":[]},\"title\":\"Successful SSH logins\",\"type\":\"histogram\"}" - }, - "id": "system-d16bb400-f9cc-11e6-8115-a7c18106d86a", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json b/packages/system/0.9.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json deleted file mode 100644 index 409529a0d5..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-d2e80340-4d5c-11e7-aa29-87a97a796de6.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory usage vs total [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"6f7618b0-4d5c-11e7-aa29-87a97a796de6\"}],\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"6bc65720-4d5c-11e7-aa29-87a97a796de6\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"6bc65721-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Memory usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.bytes\",\"id\":\"6bc65722-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b8fe6820-4d5c-11e7-aa29-87a97a796de6\",\"label\":\"Total Memory\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.total\",\"id\":\"b8fe6821-4d5c-11e7-aa29-87a97a796de6\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"title\":\"Memory usage vs total\",\"type\":\"metrics\"}" - }, - "id": "system-d2e80340-4d5c-11e7-aa29-87a97a796de6", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.9.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index bc6234f906..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Memory Usage Gauge [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"gauge_color_rules\":[{\"gauge\":\"rgba(104,188,0,1)\",\"id\":\"a0d522e0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0},{\"gauge\":\"rgba(254,146,0,1)\",\"id\":\"b45ad8f0-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.7},{\"gauge\":\"rgba(211,49,21,1)\",\"id\":\"c06e9550-1b91-11e7-bec4-a5e9ec5cab8b\",\"operator\":\"gte\",\"value\":0.85}],\"gauge_inner_width\":10,\"gauge_max\":\"1\",\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"9f51b730-1b91-11e7-bec4-a5e9ec5cab8b\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"9f51b731-1b91-11e7-bec4-a5e9ec5cab8b\",\"label\":\"Memory Usage\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"9f51b732-1b91-11e7-bec4-a5e9ec5cab8b\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\"},\"title\":\"Memory Usage Gauge [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-d3166e80-1b91-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json b/packages/system/0.9.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 4a1a669662..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-d56ee420-fa79-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by home directory [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/nonexistent\":\"#629E51\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by home directory\",\"type\":\"pie\"}" - }, - "id": "system-d56ee420-fa79-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json b/packages/system/0.9.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 16dd4ec2e5..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-dc589770-fa2b-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top sudo commands [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.sudo.command\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top sudo commands\",\"type\":\"table\"}" - }, - "id": "system-dc589770-fa2b-11e6-bbd3-29c986c96e5a", - "references": [ - { - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json b/packages/system/0.9.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json deleted file mode 100644 index 0de4eae928..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-e0f001c0-1b18-11e7-b09e-037021c4f8df.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Processes By CPU [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"60e11be0-1b18-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0}],\"drilldown_url\":\"\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.process\\\"\"},\"id\":\"5f5b8d50-1b18-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"5f5b8d51-1b18-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.process.cpu.total.pct\",\"id\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"process.name\",\"terms_order_by\":\"5f5b8d52-1b18-11e7-b09e-037021c4f8df\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Processes By CPU [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-e0f001c0-1b18-11e7-b09e-037021c4f8df", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json b/packages/system/0.9.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json deleted file mode 100644 index 8bc2dd67ee..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-e121b140-fa78-11e6-a1df-a78bd7504d38.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users by shell [Logs System]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/bin/bash\":\"#E24D42\",\"/bin/false\":\"#508642\",\"/sbin/nologin\":\"#7EB26D\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"isDonut\":false,\"legendPosition\":\"right\"},\"title\":\"New users by shell\",\"type\":\"pie\"}" - }, - "id": "system-e121b140-fa78-11e6-a1df-a78bd7504d38", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/0.9.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 485b755000..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "New users [Logs System]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"UID\",\"field\":\"user.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"GID\",\"field\":\"group.id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Home\",\"field\":\"system.auth.useradd.home\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Shell\",\"field\":\"system.auth.useradd.shell\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.auth\\\"\"},\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"New users\",\"type\":\"table\"}" - }, - "id": "system-f398d2f0-fa77-11e6-ae9b-81e5311e8cab", - "references": [ - { - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json b/packages/system/0.9.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json deleted file mode 100644 index 86576781aa..0000000000 --- a/packages/system/0.9.2/kibana/visualization/system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Hosts By Memory (Realtime) [Metrics System]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"bar_color\":\"rgba(104,188,0,1)\",\"id\":\"33349dd0-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0},{\"bar_color\":\"rgba(254,146,0,1)\",\"id\":\"997dc440-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.6},{\"bar_color\":\"rgba(211,49,21,1)\",\"id\":\"a10d7f20-1b1c-11e7-b09e-037021c4f8df\",\"operator\":\"gte\",\"value\":0.85}],\"drilldown_url\":\"../app/kibana#/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8?_a=(query:(language:kuery,query:'host.name:\\\"{{key}}\\\"'))\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"system.memory\\\"\"},\"id\":\"31e5afa0-1b1c-11e7-b09e-037021c4f8df\",\"index_pattern\":\"metrics-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"31e5afa1-1b1c-11e7-b09e-037021c4f8df\",\"line_width\":1,\"metrics\":[{\"field\":\"system.memory.actual.used.pct\",\"id\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"type\":\"avg\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"host.name\",\"terms_order_by\":\"31e5afa2-1b1c-11e7-b09e-037021c4f8df\",\"terms_size\":\"10\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\"},\"title\":\"Top Hosts By Memory (Realtime) [Metrics System]\",\"type\":\"metrics\"}" - }, - "id": "system-fe064790-1b1f-11e7-bec4-a5e9ec5cab8b", - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/system/0.9.2/manifest.yml b/packages/system/0.9.2/manifest.yml deleted file mode 100644 index a025dbb1c1..0000000000 --- a/packages/system/0.9.2/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -format_version: 1.0.0 -name: system -title: System -version: 0.9.2 -license: basic -description: System Integration -type: integration -categories: - - os_system - - security -release: beta -conditions: - kibana.version: '^7.10.0' -screenshots: - - src: /img/kibana-system.png - title: kibana system - size: 1220x852 - type: image/png - - src: /img/metricbeat_system_dashboard.png - title: metricbeat system dashboard - size: 2097x1933 - type: image/png -icons: - - src: /img/system.svg - title: system - size: 1000x1000 - type: image/svg+xml -policy_templates: - - name: system - title: System logs and metrics - description: Collect logs and metrics from System instances - inputs: - - type: logfile - title: Collect logs from System instances - description: Collecting System auth and syslog logs - - type: system/metrics - title: Collect metrics from System instances - description: Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics -owner: - github: elastic/integrations-services diff --git a/packages/windows/0.6.0/changelog.yml b/packages/windows/0.6.0/changelog.yml deleted file mode 100755 index 6478fa9404..0000000000 --- a/packages/windows/0.6.0/changelog.yml +++ /dev/null @@ -1,44 +0,0 @@ -# newer versions go on top -- version: "0.6.0" - changes: - - description: Move PowerShell edge processing to ingest pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/941 -- version: "0.5.2" - changes: - - description: Change Splunk input to use the decode_xml_wineventlog processor. - type: enhancement - link: https://github.com/elastic/integrations/pull/923 -- version: "0.5.1" - changes: - - description: Add support for Sysmon v13 events. - type: enhancement - link: https://github.com/elastic/integrations/pull/913 -- version: "0.5.0" - changes: - - description: Add Splunk input for Winlog data streams. - type: enhancement - link: https://github.com/elastic/integrations/pull/821 -- version: "0.4.3" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/877 -- version: "0.4.2" - changes: - - description: Move security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/726 -- version: "0.4.1" - changes: - - description: Fix Guards - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/724 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/91 diff --git a/packages/windows/0.6.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs b/packages/windows/0.6.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs deleted file mode 100755 index cc0186c25b..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,5025 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - when.equals.winlog.channel: Security - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } - - - script: - when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } - - - script: - when.or: - - equals: - winlog.channel: Windows PowerShell - - equals: - winlog.channel: Microsoft-Windows-PowerShell/Operational - lang: javascript - id: powershell - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - var powershell = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - - var normalizeCommonFieldNames = new processor.Convert({ - fields: [ - { - from: "winlog.event_data.Engine Version", - to: "winlog.event_data.EngineVersion", - }, - { - from: "winlog.event_data.Pipeline ID", - to: "winlog.event_data.PipelineId", - }, - { - from: "winlog.event_data.Runspace ID", - to: "winlog.event_data.RunspaceId", - }, - { - from: "winlog.event_data.Host Version", - to: "winlog.event_data.HostVersion", - }, - { - from: "winlog.event_data.Script Name", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Path", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Command Path", - to: "winlog.event_data.CommandPath", - }, - { - from: "winlog.event_data.Command Name", - to: "winlog.event_data.CommandName", - }, - { - from: "winlog.event_data.Command Type", - to: "winlog.event_data.CommandType", - }, - { - from: "winlog.event_data.User", - to: "winlog.event_data.UserId", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - - // Builds a dissect tokenizer. - // - // - chunks: number of chunks dissect needs to look for. - // - delimiter: indicates what is the delimiter between chunks, - // in addition to `\n` which is already expected. - // - sep: separator between key value pairs. - // - // example: - // For a string like "Foo=Bar\n\tBar=Baz", chunks: 2, delimiter: '\t', sep: '=' - var buildNewlineSpacedTokenizer = function (chunks, delimiter, sep) { - var tokenizer = ""; - for (var i = 0; i < chunks; i++) { - if (i !== 0) { - tokenizer += "\n%{}"; - } - tokenizer += delimiter+"%{*p"+i+"}"+sep+"%{&p"+i+"}"; - } - return tokenizer; - }; - - var dissectField = function (fromField, targetPrefix, chunks, delimiter, sep) { - return new processor.Dissect({ - field: fromField, - target_prefix: targetPrefix, - tokenizer: buildNewlineSpacedTokenizer(chunks, delimiter, sep), - fail_on_error: false, - }); - }; - - // countChunksDelimitedBy will return the number of chunks contained in a field - // that are delimited by the given delimiter. - var countChunksDelimitedBy = function(evt, fromField, delimiter) { - var str = evt.Get(fromField); - if (!str) { - return 0; - } - return str.split(delimiter).length-1; - }; - - var dissect4xxAnd600 = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter); - - dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - evt.Delete("winlog.event_data.param3"); - }; - - var dissect800Detail = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter); - - dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - }; - - var dissect4103 = function (evt) { - var delimiter = " "; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter); - - dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.ContextInfo"); - evt.Delete("winlog.event_data.Severity"); - }; - - var addEngineVersion = function (evt) { - var version = evt.Get("winlog.event_data.EngineVersion"); - evt.Delete("winlog.event_data.EngineVersion"); - if (!version) { - return; - } - - evt.Put("powershell.engine.version", version); - }; - - var addPipelineID = function (evt) { - var id = evt.Get("winlog.event_data.PipelineId"); - evt.Delete("winlog.event_data.PipelineId"); - if (!id) { - return; - } - - evt.Put("powershell.pipeline_id", id); - }; - - var addRunspaceID = function (evt) { - var id = evt.Get("winlog.event_data.RunspaceId"); - evt.Delete("winlog.event_data.RunspaceId"); - if (!id) { - return; - } - - evt.Put("powershell.runspace_id", id); - }; - - var addScriptBlockID = function (evt) { - var id = evt.Get("winlog.event_data.ScriptBlockId"); - evt.Delete("winlog.event_data.ScriptBlockId"); - if (!id) { - return; - } - - evt.Put("powershell.file.script_block_id", id); - }; - - var addScriptBlockText = function (evt) { - var text = evt.Get("winlog.event_data.ScriptBlockText"); - evt.Delete("winlog.event_data.ScriptBlockText"); - if (!text) { - return; - } - - evt.Put("powershell.file.script_block_text", text); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var addProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - var args = evt.Get("process.args"); - if (args && args.length > 0) { - evt.Put("process.args_count", args.length); - } - }; - - var addExecutableVersion = function (evt) { - var version = evt.Get("winlog.event_data.HostVersion"); - evt.Delete("winlog.event_data.HostVersion"); - if (!version) { - return; - } - - evt.Put("powershell.process.executable_version", version); - }; - - var addFileInfo = function (evt) { - var scriptName = evt.Get("winlog.event_data.ScriptName"); - evt.Delete("winlog.event_data.ScriptName"); - if (!scriptName) { - return; - } - - evt.Put("file.path", scriptName); - evt.Put("file.name", path.basename(scriptName)); - evt.Put("file.directory", path.dirname(scriptName)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(scriptName); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var addCommandValue = function (evt) { - var value = evt.Get("winlog.event_data.CommandLine") - evt.Delete("winlog.event_data.CommandLine"); - if (!value) { - return; - } - - evt.Put("powershell.command.value", value.trim()); - }; - - var addCommandPath = function (evt) { - var commandPath = evt.Get("winlog.event_data.CommandPath"); - evt.Delete("winlog.event_data.CommandPath"); - if (!commandPath) { - return; - } - - evt.Put("powershell.command.path", commandPath); - }; - - var addCommandName = function (evt) { - var commandName = evt.Get("winlog.event_data.CommandName"); - evt.Delete("winlog.event_data.CommandName"); - if (!commandName) { - return; - } - - evt.Put("powershell.command.name", commandName); - }; - - var addCommandType = function (evt) { - var commandType = evt.Get("winlog.event_data.CommandType"); - evt.Delete("winlog.event_data.CommandType"); - if (!commandType) { - return; - } - - evt.Put("powershell.command.type", commandType); - }; - - var detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - var parameterBindingRegex = /^.*name\=(.+);\s*value\=(.+)$/ - - // Parses a command invocation detail raw line, and converts it to an object, based on its type. - // - // - for unexpectedly formatted ones: {value: "the raw line as it is"} - // - for all: - // * related_command: describes to what command it is related to - // * value: the value for that detail line - // * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - // - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - var parseRawDetail = function (raw) { - var matches = detailRegex.exec(raw); - if (!matches || matches.length !== 4) { - return {value: raw}; - } - - if (matches[1] !== "ParameterBinding") { - return {type: matches[1], related_command: matches[2], value: matches[3]}; - } - - var nameValMatches = parameterBindingRegex.exec(matches[3]); - if (!nameValMatches || nameValMatches.length !== 3) { - return {value: matches[3]}; - } - - return { - type: matches[1], - related_command: matches[2], - name: nameValMatches[1], - value: nameValMatches[2], - }; - }; - - var addCommandInvocationDetails = function (evt, from) { - var rawDetails = evt.Get(from); - if (!rawDetails) { - return; - } - - var details = []; - rawDetails.split("\n").forEach(function (raw) { - details.push(parseRawDetail(raw)); - }); - - if (details.length === 0) { - return; - } - - evt.Delete(from); - evt.Put("powershell.command.invocation_details", details); - }; - - var addCommandInvocationDetailsForEvent800 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.param3"); - }; - - var addCommandInvocationDetailsForEvent4103 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.Payload"); - }; - - var addUser = function (evt) { - var userParts = evt.Get("winlog.event_data.UserId").split("\\"); - evt.Delete("winlog.event_data.UserId"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var addConnectedUser = function (evt) { - var userParts = evt.Get("winlog.event_data.Connected User").split("\\"); - evt.Delete("winlog.event_data.Connected User"); - if (userParts.length === 2) { - evt.Put("powershell.connected_user.domain", userParts[0]); - if (evt.Get("user.domain")) { - evt.Put("destination.user.domain", evt.Get("user.domain")); - } - evt.Put("source.user.domain", userParts[0]); - evt.Put("user.domain", userParts[0]); - - evt.Put("powershell.connected_user.name", userParts[1]); - if (evt.Get("user.name")) { - evt.Put("destination.user.name", evt.Get("user.name")); - } - evt.Put("source.user.name", userParts[1]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var event4xxAnd600Common = new processor.Chain() - .Add(dissect4xxAnd600) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.NewEngineState", - to: "powershell.engine.new_state", - }, - { - from: "winlog.event_data.PreviousEngineState", - to: "powershell.engine.previous_state", - }, - { - from: "winlog.event_data.NewProviderState", - to: "powershell.provider.new_state", - }, - { - from: "winlog.event_data.ProviderName", - to: "powershell.provider.name", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(removeEmptyEventData) - .Build(); - - var event400 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event403 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event600 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event800 = new processor.Chain() - .Add(dissect800Detail) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - { - from: "winlog.event_data.DetailTotal", - to: "powershell.total", - type: "long", - }, - { - from: "winlog.event_data.DetailSequence", - to: "powershell.sequence", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addCommandInvocationDetailsForEvent800) - .Add(removeEmptyEventData) - .Build(); - - var event4103 = new processor.Chain() - .Add(dissect4103) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.Sequence Number", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.Host ID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.Host Application", - to: "process.command_line", - }, - { - from: "winlog.event_data.Host Name", - to: "process.title", - }, - { - from: "winlog.event_data.Shell ID", - to: "powershell.id", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addConnectedUser) - .Add(addCommandInvocationDetailsForEvent4103) - .Add(removeEmptyEventData) - .Build(); - - var event4104 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.MessageNumber", - to: "powershell.sequence", - type: "long", - }, - { - from: "winlog.event_data.MessageTotal", - to: "powershell.total", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addFileInfo) - .Add(addScriptBlockID) - .Add(addScriptBlockText) - .Add(removeEmptyEventData) - .Build(); - - var event4105And4106Common = new processor.Chain() - .Add(addRunspaceID) - .Add(addScriptBlockID) - .Add(removeEmptyEventData) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Build(); - - var event4105 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Build(); - - var event4106 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Build(); - - return { - 400: event400.Run, - 403: event403.Run, - 600: event600.Run, - 800: event800.Run, - 4103: event4103.Run, - 4104: event4104.Run, - 4105: event4105.Run, - 4106: event4106.Run, - - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "powershell"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return powershell.process(evt); - } diff --git a/packages/windows/0.6.0/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/0.6.0/data_stream/forwarded/agent/stream/winlog.yml.hbs deleted file mode 100755 index 4f0a22e8d2..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,4943 +0,0 @@ -name: ForwardedEvents -condition: ${host.platform} == 'windows' -tags: [forwarded] -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - when.equals.winlog.channel: Security - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } - - - script: - when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } - - - script: - when.or: - - equals: - winlog.channel: Windows PowerShell - - equals: - winlog.channel: Microsoft-Windows-PowerShell/Operational - lang: javascript - id: powershell - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - var powershell = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - - var normalizeCommonFieldNames = new processor.Convert({ - fields: [ - { - from: "winlog.event_data.Engine Version", - to: "winlog.event_data.EngineVersion", - }, - { - from: "winlog.event_data.Pipeline ID", - to: "winlog.event_data.PipelineId", - }, - { - from: "winlog.event_data.Runspace ID", - to: "winlog.event_data.RunspaceId", - }, - { - from: "winlog.event_data.Host Version", - to: "winlog.event_data.HostVersion", - }, - { - from: "winlog.event_data.Script Name", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Path", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Command Path", - to: "winlog.event_data.CommandPath", - }, - { - from: "winlog.event_data.Command Name", - to: "winlog.event_data.CommandName", - }, - { - from: "winlog.event_data.Command Type", - to: "winlog.event_data.CommandType", - }, - { - from: "winlog.event_data.User", - to: "winlog.event_data.UserId", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - - // Builds a dissect tokenizer. - // - // - chunks: number of chunks dissect needs to look for. - // - delimiter: indicates what is the delimiter between chunks, - // in addition to `\n` which is already expected. - // - sep: separator between key value pairs. - // - // example: - // For a string like "Foo=Bar\n\tBar=Baz", chunks: 2, delimiter: '\t', sep: '=' - var buildNewlineSpacedTokenizer = function (chunks, delimiter, sep) { - var tokenizer = ""; - for (var i = 0; i < chunks; i++) { - if (i !== 0) { - tokenizer += "\n%{}"; - } - tokenizer += delimiter+"%{*p"+i+"}"+sep+"%{&p"+i+"}"; - } - return tokenizer; - }; - - var dissectField = function (fromField, targetPrefix, chunks, delimiter, sep) { - return new processor.Dissect({ - field: fromField, - target_prefix: targetPrefix, - tokenizer: buildNewlineSpacedTokenizer(chunks, delimiter, sep), - fail_on_error: false, - }); - }; - - // countChunksDelimitedBy will return the number of chunks contained in a field - // that are delimited by the given delimiter. - var countChunksDelimitedBy = function(evt, fromField, delimiter) { - var str = evt.Get(fromField); - if (!str) { - return 0; - } - return str.split(delimiter).length-1; - }; - - var dissect4xxAnd600 = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter); - - dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - evt.Delete("winlog.event_data.param3"); - }; - - var dissect800Detail = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter); - - dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - }; - - var dissect4103 = function (evt) { - var delimiter = " "; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter); - - dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.ContextInfo"); - evt.Delete("winlog.event_data.Severity"); - }; - - var addEngineVersion = function (evt) { - var version = evt.Get("winlog.event_data.EngineVersion"); - evt.Delete("winlog.event_data.EngineVersion"); - if (!version) { - return; - } - - evt.Put("powershell.engine.version", version); - }; - - var addPipelineID = function (evt) { - var id = evt.Get("winlog.event_data.PipelineId"); - evt.Delete("winlog.event_data.PipelineId"); - if (!id) { - return; - } - - evt.Put("powershell.pipeline_id", id); - }; - - var addRunspaceID = function (evt) { - var id = evt.Get("winlog.event_data.RunspaceId"); - evt.Delete("winlog.event_data.RunspaceId"); - if (!id) { - return; - } - - evt.Put("powershell.runspace_id", id); - }; - - var addScriptBlockID = function (evt) { - var id = evt.Get("winlog.event_data.ScriptBlockId"); - evt.Delete("winlog.event_data.ScriptBlockId"); - if (!id) { - return; - } - - evt.Put("powershell.file.script_block_id", id); - }; - - var addScriptBlockText = function (evt) { - var text = evt.Get("winlog.event_data.ScriptBlockText"); - evt.Delete("winlog.event_data.ScriptBlockText"); - if (!text) { - return; - } - - evt.Put("powershell.file.script_block_text", text); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var addProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - var args = evt.Get("process.args"); - if (args && args.length > 0) { - evt.Put("process.args_count", args.length); - } - }; - - var addExecutableVersion = function (evt) { - var version = evt.Get("winlog.event_data.HostVersion"); - evt.Delete("winlog.event_data.HostVersion"); - if (!version) { - return; - } - - evt.Put("powershell.process.executable_version", version); - }; - - var addFileInfo = function (evt) { - var scriptName = evt.Get("winlog.event_data.ScriptName"); - evt.Delete("winlog.event_data.ScriptName"); - if (!scriptName) { - return; - } - - evt.Put("file.path", scriptName); - evt.Put("file.name", path.basename(scriptName)); - evt.Put("file.directory", path.dirname(scriptName)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(scriptName); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var addCommandValue = function (evt) { - var value = evt.Get("winlog.event_data.CommandLine") - evt.Delete("winlog.event_data.CommandLine"); - if (!value) { - return; - } - - evt.Put("powershell.command.value", value.trim()); - }; - - var addCommandPath = function (evt) { - var commandPath = evt.Get("winlog.event_data.CommandPath"); - evt.Delete("winlog.event_data.CommandPath"); - if (!commandPath) { - return; - } - - evt.Put("powershell.command.path", commandPath); - }; - - var addCommandName = function (evt) { - var commandName = evt.Get("winlog.event_data.CommandName"); - evt.Delete("winlog.event_data.CommandName"); - if (!commandName) { - return; - } - - evt.Put("powershell.command.name", commandName); - }; - - var addCommandType = function (evt) { - var commandType = evt.Get("winlog.event_data.CommandType"); - evt.Delete("winlog.event_data.CommandType"); - if (!commandType) { - return; - } - - evt.Put("powershell.command.type", commandType); - }; - - var detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - var parameterBindingRegex = /^.*name\=(.+);\s*value\=(.+)$/ - - // Parses a command invocation detail raw line, and converts it to an object, based on its type. - // - // - for unexpectedly formatted ones: {value: "the raw line as it is"} - // - for all: - // * related_command: describes to what command it is related to - // * value: the value for that detail line - // * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - // - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - var parseRawDetail = function (raw) { - var matches = detailRegex.exec(raw); - if (!matches || matches.length !== 4) { - return {value: raw}; - } - - if (matches[1] !== "ParameterBinding") { - return {type: matches[1], related_command: matches[2], value: matches[3]}; - } - - var nameValMatches = parameterBindingRegex.exec(matches[3]); - if (!nameValMatches || nameValMatches.length !== 3) { - return {value: matches[3]}; - } - - return { - type: matches[1], - related_command: matches[2], - name: nameValMatches[1], - value: nameValMatches[2], - }; - }; - - var addCommandInvocationDetails = function (evt, from) { - var rawDetails = evt.Get(from); - if (!rawDetails) { - return; - } - - var details = []; - rawDetails.split("\n").forEach(function (raw) { - details.push(parseRawDetail(raw)); - }); - - if (details.length === 0) { - return; - } - - evt.Delete(from); - evt.Put("powershell.command.invocation_details", details); - }; - - var addCommandInvocationDetailsForEvent800 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.param3"); - }; - - var addCommandInvocationDetailsForEvent4103 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.Payload"); - }; - - var addUser = function (evt) { - var userParts = evt.Get("winlog.event_data.UserId").split("\\"); - evt.Delete("winlog.event_data.UserId"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var addConnectedUser = function (evt) { - var userParts = evt.Get("winlog.event_data.Connected User").split("\\"); - evt.Delete("winlog.event_data.Connected User"); - if (userParts.length === 2) { - evt.Put("powershell.connected_user.domain", userParts[0]); - if (evt.Get("user.domain")) { - evt.Put("destination.user.domain", evt.Get("user.domain")); - } - evt.Put("source.user.domain", userParts[0]); - evt.Put("user.domain", userParts[0]); - - evt.Put("powershell.connected_user.name", userParts[1]); - if (evt.Get("user.name")) { - evt.Put("destination.user.name", evt.Get("user.name")); - } - evt.Put("source.user.name", userParts[1]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var event4xxAnd600Common = new processor.Chain() - .Add(dissect4xxAnd600) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.NewEngineState", - to: "powershell.engine.new_state", - }, - { - from: "winlog.event_data.PreviousEngineState", - to: "powershell.engine.previous_state", - }, - { - from: "winlog.event_data.NewProviderState", - to: "powershell.provider.new_state", - }, - { - from: "winlog.event_data.ProviderName", - to: "powershell.provider.name", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(removeEmptyEventData) - .Build(); - - var event400 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event403 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event600 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event800 = new processor.Chain() - .Add(dissect800Detail) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - { - from: "winlog.event_data.DetailTotal", - to: "powershell.total", - type: "long", - }, - { - from: "winlog.event_data.DetailSequence", - to: "powershell.sequence", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addCommandInvocationDetailsForEvent800) - .Add(removeEmptyEventData) - .Build(); - - var event4103 = new processor.Chain() - .Add(dissect4103) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.Sequence Number", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.Host ID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.Host Application", - to: "process.command_line", - }, - { - from: "winlog.event_data.Host Name", - to: "process.title", - }, - { - from: "winlog.event_data.Shell ID", - to: "powershell.id", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addConnectedUser) - .Add(addCommandInvocationDetailsForEvent4103) - .Add(removeEmptyEventData) - .Build(); - - var event4104 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.MessageNumber", - to: "powershell.sequence", - type: "long", - }, - { - from: "winlog.event_data.MessageTotal", - to: "powershell.total", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addFileInfo) - .Add(addScriptBlockID) - .Add(addScriptBlockText) - .Add(removeEmptyEventData) - .Build(); - - var event4105And4106Common = new processor.Chain() - .Add(addRunspaceID) - .Add(addScriptBlockID) - .Add(removeEmptyEventData) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Build(); - - var event4105 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Build(); - - var event4106 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Build(); - - return { - 400: event400.Run, - 403: event403.Run, - 600: event600.Run, - 800: event800.Run, - 4103: event4103.Run, - 4104: event4104.Run, - 4105: event4105.Run, - 4106: event4106.Run, - - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "powershell"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return powershell.process(evt); - } diff --git a/packages/windows/0.6.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.6.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 15290547b8..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows forewarded Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.6.0/data_stream/forwarded/fields/agent.yml b/packages/windows/0.6.0/data_stream/forwarded/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/forwarded/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/forwarded/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.6.0/data_stream/forwarded/fields/ecs.yml b/packages/windows/0.6.0/data_stream/forwarded/fields/ecs.yml deleted file mode 100755 index 5b76041236..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/fields/ecs.yml +++ /dev/null @@ -1,492 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: parent.args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - default_field: false - - name: parent.args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: parent.command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: parent.entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: parent.hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: parent.hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: parent.hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false - - name: parent.pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: parent.pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: parent.pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: parent.pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: parent.pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: parent.pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: parent.pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: parent.pid - type: long - format: string - description: Process id. - default_field: false - - name: parent.start - type: date - description: The time the process started. - default_field: false - - name: parent.title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process title.' - default_field: false - - name: pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: pid - type: long - format: string - description: Process id. - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - - name: working_directory - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The working directory of the process. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false -- name: dns - title: DNS - group: 2 - type: group - fields: - - name: answers - type: object - description: 'An array containing an object for each answer section returned by the server.' - - name: answers.class - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - - name: answers.data - type: keyword - ignore_above: 1024 - description: 'The data describing the resource.' - - name: answers.name - type: keyword - ignore_above: 1024 - description: 'The domain name to which this resource record pertains.' - - name: answers.ttl - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - name: answers.type - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - - name: header_flags - type: keyword - ignore_above: 1024 - description: 'Array of 2 letter DNS header flags.' - - name: id - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: op_code - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - - name: question.class - type: keyword - ignore_above: 1024 - description: The class of records being queried. - - name: question.name - type: keyword - ignore_above: 1024 - description: 'The name being queried.' - - name: question.registered_domain - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain.' - - name: question.subdomain - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain.' - - name: question.top_level_domain - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' - - name: question.type - type: keyword - ignore_above: 1024 - description: The type of record being queried. - - name: resolved_ip - type: ip - description: 'Array containing all IPs seen in `answers.data`.' - - name: response_code - type: keyword - ignore_above: 1024 - description: The DNS response code. - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of DNS event captured, query or answer.' -- name: network - title: Network - type: group - fields: - - name: protocol - type: keyword - ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.' -- name: rule - title: Rule - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: The name of the rule or signature generating the event. - default_field: false diff --git a/packages/windows/0.6.0/data_stream/forwarded/fields/fields.yml b/packages/windows/0.6.0/data_stream/forwarded/fields/fields.yml deleted file mode 100755 index d869b147a9..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/fields/fields.yml +++ /dev/null @@ -1,170 +0,0 @@ -- name: sysmon.dns.status - type: keyword - description: Windows status code returned for the DNS query. -- name: sysmon.file.archived - type: boolean - description: Indicates if the deleted file was archived. -- name: sysmon.file.is_executable - type: boolean - description: Indicates if the deleted file was an executable. -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.6.0/data_stream/forwarded/fields/winlog.yml b/packages/windows/0.6.0/data_stream/forwarded/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.6.0/data_stream/forwarded/manifest.yml b/packages/windows/0.6.0/data_stream/forwarded/manifest.yml deleted file mode 100755 index 68bb95c32b..0000000000 --- a/packages/windows/0.6.0/data_stream/forwarded/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows forwarded events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Forwarded - description: 'Collect ForwardedEvents channel logs' - - input: httpjson - title: Windows ForwardedEvents via Splunk Enterprise REST API - description: Collect ForwardedEvents via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:ForwardedEvents\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.6.0/data_stream/perfmon/agent/stream/stream.yml.hbs b/packages/windows/0.6.0/data_stream/perfmon/agent/stream/stream.yml.hbs deleted file mode 100755 index 142d2d803e..0000000000 --- a/packages/windows/0.6.0/data_stream/perfmon/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["perfmon"] -condition: ${host.platform} == 'windows' -perfmon.group_measurements_by_instance: {{perfmon.group_measurements_by_instance}} -perfmon.ignore_non_existent_counters: {{perfmon.ignore_non_existent_counters}} -perfmon.queries: {{perfmon.queries}} -period: {{period}} diff --git a/packages/windows/0.6.0/data_stream/perfmon/fields/agent.yml b/packages/windows/0.6.0/data_stream/perfmon/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/perfmon/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/perfmon/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/perfmon/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/windows/0.6.0/data_stream/perfmon/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.6.0/data_stream/perfmon/fields/fields.yml b/packages/windows/0.6.0/data_stream/perfmon/fields/fields.yml deleted file mode 100755 index c5cca6fc04..0000000000 --- a/packages/windows/0.6.0/data_stream/perfmon/fields/fields.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: windows.perfmon - type: group - fields: - - name: object - type: keyword - description: | - Object value. - - name: instance - type: keyword - description: | - Instance value. - - name: metrics.*.* - type: object - description: | - Metric values returned. diff --git a/packages/windows/0.6.0/data_stream/perfmon/manifest.yml b/packages/windows/0.6.0/data_stream/perfmon/manifest.yml deleted file mode 100755 index a3117039b7..0000000000 --- a/packages/windows/0.6.0/data_stream/perfmon/manifest.yml +++ /dev/null @@ -1,46 +0,0 @@ -title: Windows perfmon metrics -release: experimental -type: metrics -streams: - - input: windows/metrics - vars: - - name: perfmon.group_measurements_by_instance - type: bool - title: Perfmon Group Measurements By Instance - multi: false - required: false - show_user: true - default: false - description: Enabling this option will send all measurements with a matching perfmon instance as part of a single event - - name: perfmon.ignore_non_existent_counters - type: bool - title: Perfmon Ignore Non Existent Counters - multi: false - required: false - show_user: true - default: false - description: Enabling this option will make sure to ignore any errors caused by counters that do not exist - - name: perfmon.queries - type: yaml - title: Perfmon Queries - multi: false - required: true - show_user: true - default: | - - object: 'Process' - instance: ["*"] - counters: - - name: '% Processor Time' - field: cpu_perc - format: "float" - - name: "Working Set" - description: Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: Windows perfmon metrics - description: Collect Windows perfmon metrics diff --git a/packages/windows/0.6.0/data_stream/powershell/agent/stream/httpjson.yml.hbs b/packages/windows/0.6.0/data_stream/powershell/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 158e9245d0..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true diff --git a/packages/windows/0.6.0/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/0.6.0/data_stream/powershell/agent/stream/winlog.yml.hbs deleted file mode 100755 index 1c9094d489..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Windows PowerShell -condition: ${host.platform} == 'windows' -event_id: 400, 403, 600, 800 diff --git a/packages/windows/0.6.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.6.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4eb38cdb95..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,433 +0,0 @@ ---- -description: Pipeline for Windows Powershell events -processors: - - kv: - description: Split Event 800 event data fields. - field: winlog.event_data.param2 - target_field: winlog.event_data - field_split: "\n\t" - trim_key: "\n\t" - trim_value: "\n\t" - value_split: "=" - if: ctx?.winlog?.event_id == "800" - - kv: - description: Split Events 4xx and 600 event data fields. - field: winlog.event_data.param3 - target_field: winlog.event_data - field_split: "\n\t" - trim_key: "\n\t" - trim_value: "\n\t" - value_split: "=" - if: ctx?.winlog?.event_id != "800" - - ## ECS and Event fields. - - - set: - field: ecs.version - value: 1.9.0 - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: event.kind - value: event - - set: - field: event.code - value: '{{winlog.event_id}}' - - set: - field: event.category - value: process - - set: - field: event.type - value: start - if: ctx?.event.code == "400" - - set: - field: event.type - value: end - if: ctx?.event.code == "403" - - set: - field: event.type - value: info - if: ctx?.event?.type == null - - convert: - field: winlog.event_data.SequenceNumber - target_field: event.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.record_id - type: string - ignore_failure: true - ignore_missing: true - - ## Process fields. - - - rename: - field: winlog.event_data.HostId - target_field: process.entity_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostId != "" - - rename: - field: winlog.event_data.HostApplication - target_field: process.command_line - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostApplication != "" - - rename: - field: winlog.event_data.HostName - target_field: process.title - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostName != "" - - ## User fields. - - - split: - field: winlog.event_data.UserId - target_field: "_temp.user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.UserId != null - - set: - field: user.domain - value: "{{_temp.user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.name - value: "{{_temp.user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.user?.name != null - - ## PowerShell fields. - - - rename: - field: winlog.event_data.NewEngineState - target_field: powershell.engine.new_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.NewEngineState != "" - - rename: - field: winlog.event_data.PreviousEngineState - target_field: powershell.engine.previous_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.PreviousEngineState != "" - - rename: - field: winlog.event_data.NewProviderState - target_field: powershell.provider.new_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.NewProviderState != "" - - rename: - field: winlog.event_data.ProviderName - target_field: powershell.provider.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ProviderName != "" - - convert: - field: winlog.event_data.DetailTotal - target_field: powershell.total - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DetailTotal != "" - - convert: - field: winlog.event_data.DetailSequence - target_field: powershell.sequence - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DetailSequence != "" - - rename: - field: winlog.event_data.EngineVersion - target_field: powershell.engine.version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.EngineVersion != "" - - rename: - field: winlog.event_data.PipelineId - target_field: powershell.pipeline_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.PipelineId != "" - - rename: - field: winlog.event_data.RunspaceId - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceId != "" - - rename: - field: winlog.event_data.HostVersion - target_field: powershell.process.executable_version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.HostVersion != "" - - rename: - field: winlog.event_data.CommandLine - target_field: powershell.command.value - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandLine != "" - - rename: - field: winlog.event_data.CommandPath - target_field: powershell.command.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandPath != "" - - rename: - field: winlog.event_data.CommandName - target_field: powershell.command.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandName != "" - - rename: - field: winlog.event_data.CommandType - target_field: powershell.command.type - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandType != "" - - - split: - description: Split Event 800 command invocation details. - field: winlog.event_data.param3 - separator: "\n" - ignore_failure: true - ignore_missing: true - if: ctx.event.code == "800" - - script: - description: |- - Parses all command invocation detail raw lines, and converts them to an object, based on their type. - - for unexpectedly formatted ones: {value: "the raw line as it is"} - - for all: - * related_command: describes to what command it is related to - * value: the value for that detail line - * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - lang: painless - if: ctx.event.code == "800" - params: - field: param3 - source: |- - def parseRawDetail(String raw) { - Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; - - def matcher = detailRegex.matcher(raw); - if (!matcher.matches()) { - return ["value": raw]; - } - def matches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - matches.add(matcher.group(i)); - } - - if (matches.length != 4) { - return ["value": raw]; - } - - if (matches[1] != "ParameterBinding") { - return [ - "type": matches[1], - "related_command": matches[2], - "value": matches[3] - ]; - } - - matcher = parameterBindingRegex.matcher(matches[3]); - if (!matcher.matches()) { - return ["value": matches[4]]; - } - def nameValMatches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - nameValMatches.add(matcher.group(i)); - } - if (nameValMatches.length !== 3) { - return ["value": matches[3]]; - } - - return [ - "type": matches[1], - "related_command": matches[2], - "name": nameValMatches[1], - "value": nameValMatches[2] - ]; - } - - if (ctx?._temp == null) { - ctx._temp = new HashMap(); - } - - if (ctx._temp.details == null) { - ctx._temp.details = new ArrayList(); - } - - def values = ctx?.winlog?.event_data[params["field"]]; - if (values != null && values.length > 0) { - for (v in values) { - ctx._temp.details.add(parseRawDetail(v)); - } - } - - rename: - field: _temp.details - target_field: powershell.command.invocation_details - if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 - - - script: - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx?.process?.command_line != null && ctx.process.command_line != "" - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - script: - description: Adds file information. - lang: painless - if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 - source: |- - def path = ctx.winlog.event_data.ScriptName; - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - if (ctx?.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - } - - rename: - field: winlog.event_data.ScriptName - target_field: file.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptName != "" - - ## Cleanup. - - - remove: - field: - - _temp - - winlog.event_data.param1 - - winlog.event_data.param2 - - winlog.event_data.param3 - - winlog.event_data.SequenceNumber - - winlog.event_data.DetailTotal - - winlog.event_data.DetailSequence - - winlog.event_data.UserId - - winlog.time_created - - winlog.level - ignore_missing: true - ignore_failure: true - - script: - description: Remove all empty values from event_data. - lang: painless - source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); - - remove: - description: Remove empty event data. - field: winlog.event_data - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.6.0/data_stream/powershell/fields/agent.yml b/packages/windows/0.6.0/data_stream/powershell/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/powershell/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/powershell/fields/base-fields.yml deleted file mode 100755 index 780043c0f6..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/windows/0.6.0/data_stream/powershell/fields/ecs.yml b/packages/windows/0.6.0/data_stream/powershell/fields/ecs.yml deleted file mode 100755 index 9dae9c45c8..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/fields/ecs.yml +++ /dev/null @@ -1,227 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. -- name: file - title: File - type: group - fields: - - description: Name of the file including the extension, without the directory. - name: name - type: keyword - - name: directory - type: keyword - ignore_above: 1024 - description: Directory where the file is located. It should include the drive letter, when appropriate. - - name: extension - type: keyword - ignore_above: 1024 - description: 'File extension, excluding the leading dot.' - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: source - title: Source - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: destination - title: Destination - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/windows/0.6.0/data_stream/powershell/fields/fields.yml b/packages/windows/0.6.0/data_stream/powershell/fields/fields.yml deleted file mode 100755 index 28b9093f74..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/fields/fields.yml +++ /dev/null @@ -1,131 +0,0 @@ -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.6.0/data_stream/powershell/fields/winlog.yml b/packages/windows/0.6.0/data_stream/powershell/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.6.0/data_stream/powershell/manifest.yml b/packages/windows/0.6.0/data_stream/powershell/manifest.yml deleted file mode 100755 index 1ca463afa2..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Powershell logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Powershell - description: 'Windows Powershell channel' - - input: httpjson - title: Windows Powershell Events via Splunk Enterprise REST API - description: Collect Powershell Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Windows PowerShell\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs b/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 158e9245d0..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs deleted file mode 100755 index 4c5b128d6d..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Microsoft-Windows-PowerShell/Operational -condition: ${host.platform} == 'windows' -event_id: 4103, 4104, 4105, 4106 \ No newline at end of file diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.6.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 94e31d90d8..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,492 +0,0 @@ ---- -description: Pipeline for Windows Powershell/Operational events -processors: - - kv: - description: Split Event 4103 event data fields. - field: winlog.event_data.ContextInfo - target_field: winlog.event_data - field_split: "\n" - trim_key: " \n\t" - trim_value: " \n\t" - value_split: "=" - if: ctx?.winlog?.event_id == "4103" - - script: - description: Remove spaces from all event_data keys. - lang: painless - if: ctx?.winlog?.event_data != null - source: |- - def newEventData = new HashMap(); - for (entry in ctx.winlog.event_data.entrySet()) { - def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); - newEventData.put(newKey, entry.getValue()); - } - ctx.winlog.event_data = newEventData; - - ## ECS and Event fields. - - - set: - field: ecs.version - value: 1.9.0 - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: event.kind - value: event - - set: - field: event.code - value: '{{winlog.event_id}}' - - set: - field: event.category - value: process - - set: - field: event.type - value: start - if: ctx?.event.code == "4105" - - set: - field: event.type - value: end - if: ctx?.event.code == "4106" - - set: - field: event.type - value: info - if: ctx?.event?.type == null - - convert: - field: winlog.event_data.SequenceNumber - target_field: event.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.record_id - type: string - ignore_failure: true - ignore_missing: true - - ## Process fields. - - - rename: - field: winlog.event_data.HostID - target_field: process.entity_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostID != "" - - rename: - field: winlog.event_data.HostApplication - target_field: process.command_line - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostApplication != "" - - rename: - field: winlog.event_data.HostName - target_field: process.title - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostName != "" - - ## User fields. - - - set: - field: user.id - copy_from: winlog.user.identifier - ignore_failure: true - ignore_empty_value: true - - split: - field: winlog.event_data.User - target_field: "_temp.user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.User != null - - set: - field: user.domain - value: "{{_temp.user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.name - value: "{{_temp.user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.user?.name != null - - split: - field: winlog.event_data.ConnectedUser - target_field: "_temp.connected_user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.ConnectedUser != null - - set: - field: source.user.domain - value: "{{_temp.connected_user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 - - set: - field: source.user.name - value: "{{_temp.connected_user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 - - append: - field: related.user - value: "{{source.user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.user?.name != null - - rename: - field: user.domain - target_field: destination.user.domain - ignore_failure: true - ignore_missing: true - if: ctx?.source?.user != null - - rename: - field: user.name - target_field: destination.user.name - ignore_failure: true - ignore_missing: true - if: ctx?.source?.user != null - - set: - field: user.domain - copy_from: source.user.domain - ignore_failure: true - ignore_empty_value: true - if: ctx?.source?.user != null - - set: - field: user.name - copy_from: source.user.name - ignore_failure: true - ignore_empty_value: true - if: ctx?.source?.user != null - - ## PowerShell fields. - - - convert: - field: winlog.event_data.MessageNumber - target_field: powershell.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.event_data.MessageTotal - target_field: powershell.total - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: winlog.event_data.ShellID - target_field: powershell.id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ShellID != "" - - rename: - field: winlog.event_data.EngineVersion - target_field: powershell.engine.version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.EngineVersion != "" - - rename: - field: winlog.event_data.PipelineID - target_field: powershell.pipeline_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.PipelineID != "" - - rename: - field: winlog.event_data.RunspaceID - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceID != "" - - rename: - field: winlog.event_data.RunspaceId - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceId != "" - - rename: - field: winlog.event_data.HostVersion - target_field: powershell.process.executable_version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.HostVersion != "" - - rename: - field: winlog.event_data.CommandLine - target_field: powershell.command.value - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandLine != "" - - rename: - field: winlog.event_data.CommandPath - target_field: powershell.command.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandPath != "" - - rename: - field: winlog.event_data.CommandName - target_field: powershell.command.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandName != "" - - rename: - field: winlog.event_data.CommandType - target_field: powershell.command.type - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandType != "" - - rename: - field: winlog.event_data.ScriptBlockId - target_field: powershell.file.script_block_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptBlockId != "" - - rename: - field: winlog.event_data.ScriptBlockText - target_field: powershell.file.script_block_text - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptBlockText != "" - - - split: - description: Split Event 800 command invocation details. - field: winlog.event_data.Payload - separator: "\n" - ignore_failure: true - ignore_missing: true - if: ctx.event.code == "4103" - - script: - description: |- - Parses all command invocation detail raw lines, and converts them to an object, based on their type. - - for unexpectedly formatted ones: {value: "the raw line as it is"} - - for all: - * related_command: describes to what command it is related to - * value: the value for that detail line - * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - lang: painless - if: ctx.event.code == "4103" - params: - field: Payload - source: |- - def parseRawDetail(String raw) { - Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; - - def matcher = detailRegex.matcher(raw); - if (!matcher.matches()) { - return ["value": raw]; - } - def matches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - matches.add(matcher.group(i)); - } - - if (matches.length != 4) { - return ["value": raw]; - } - - if (matches[1] != "ParameterBinding") { - return [ - "type": matches[1], - "related_command": matches[2], - "value": matches[3] - ]; - } - - matcher = parameterBindingRegex.matcher(matches[3]); - if (!matcher.matches()) { - return ["value": matches[4]]; - } - def nameValMatches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - nameValMatches.add(matcher.group(i)); - } - if (nameValMatches.length !== 3) { - return ["value": matches[3]]; - } - - return [ - "type": matches[1], - "related_command": matches[2], - "name": nameValMatches[1], - "value": nameValMatches[2] - ]; - } - - if (ctx?._temp == null) { - ctx._temp = new HashMap(); - } - - if (ctx._temp.details == null) { - ctx._temp.details = new ArrayList(); - } - - def values = ctx?.winlog?.event_data[params["field"]]; - if (values != null && values.length > 0) { - for (v in values) { - ctx._temp.details.add(parseRawDetail(v)); - } - } - - rename: - field: _temp.details - target_field: powershell.command.invocation_details - if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 - - - script: - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx?.process?.command_line != null && ctx.process.command_line != "" - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - rename: - field: winlog.event_data.Path - target_field: winlog.event_data.ScriptName - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.Path != "" - - script: - description: Adds file information. - lang: painless - if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 - source: |- - def path = ctx.winlog.event_data.ScriptName; - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - if (ctx?.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - } - - rename: - field: winlog.event_data.ScriptName - target_field: file.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptName != "" - - ## Cleanup. - - - remove: - field: - - _temp - - winlog.event_data.SequenceNumber - - winlog.event_data.User - - winlog.event_data.ConnectedUser - - winlog.event_data.ContextInfo - - winlog.event_data.Severity - - winlog.event_data.MessageTotal - - winlog.event_data.MessageNumber - - winlog.event_data.Payload - - winlog.time_created - - winlog.level - ignore_missing: true - ignore_failure: true - - script: - description: Remove all empty values from event_data. - lang: painless - source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); - - remove: - description: Remove empty event data. - field: winlog.event_data - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/fields/agent.yml b/packages/windows/0.6.0/data_stream/powershell_operational/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/powershell_operational/fields/base-fields.yml deleted file mode 100755 index 780043c0f6..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/0.6.0/data_stream/powershell_operational/fields/ecs.yml deleted file mode 100755 index 9dae9c45c8..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/fields/ecs.yml +++ /dev/null @@ -1,227 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. -- name: file - title: File - type: group - fields: - - description: Name of the file including the extension, without the directory. - name: name - type: keyword - - name: directory - type: keyword - ignore_above: 1024 - description: Directory where the file is located. It should include the drive letter, when appropriate. - - name: extension - type: keyword - ignore_above: 1024 - description: 'File extension, excluding the leading dot.' - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: source - title: Source - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: destination - title: Destination - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/fields/fields.yml b/packages/windows/0.6.0/data_stream/powershell_operational/fields/fields.yml deleted file mode 100755 index 28b9093f74..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/fields/fields.yml +++ /dev/null @@ -1,131 +0,0 @@ -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/fields/winlog.yml b/packages/windows/0.6.0/data_stream/powershell_operational/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.6.0/data_stream/powershell_operational/manifest.yml b/packages/windows/0.6.0/data_stream/powershell_operational/manifest.yml deleted file mode 100755 index 270973492e..0000000000 --- a/packages/windows/0.6.0/data_stream/powershell_operational/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Powershell/Operational logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Powershell Operational - description: 'Microsoft-Windows-Powershell/Operational channel' - - input: httpjson - title: Windows Powershell Operational Events via Splunk Enterprise REST API - description: Collect Powershell Operational Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Powershell/Operational\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.6.0/data_stream/service/agent/stream/stream.yml.hbs b/packages/windows/0.6.0/data_stream/service/agent/stream/stream.yml.hbs deleted file mode 100755 index d01c1b05cd..0000000000 --- a/packages/windows/0.6.0/data_stream/service/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["service"] -condition: ${host.platform} == 'windows' -period: {{period}} diff --git a/packages/windows/0.6.0/data_stream/service/fields/agent.yml b/packages/windows/0.6.0/data_stream/service/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/service/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/service/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/service/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/windows/0.6.0/data_stream/service/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.6.0/data_stream/service/fields/fields.yml b/packages/windows/0.6.0/data_stream/service/fields/fields.yml deleted file mode 100755 index 7618a693c4..0000000000 --- a/packages/windows/0.6.0/data_stream/service/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: windows.service - type: group - fields: - - name: id - type: keyword - description: | - A unique ID for the service. It is a hash of the machine's GUID and the service name. - - name: name - type: keyword - description: | - The service name. - - name: display_name - type: keyword - description: | - The display name of the service. - - name: start_type - type: keyword - description: | - The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. - - name: start_name - type: keyword - description: | - Account name under which a service runs. - - name: path_name - type: keyword - description: | - Fully qualified path to the file that implements the service, including arguments. - - name: state - type: keyword - description: | - The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. - - name: exit_code - type: keyword - description: | - For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. - - name: pid - type: long - description: | - For `Running` services this is the associated process PID. - - name: uptime.ms - type: long - format: duration - description: | - The service's uptime specified in milliseconds. diff --git a/packages/windows/0.6.0/data_stream/service/manifest.yml b/packages/windows/0.6.0/data_stream/service/manifest.yml deleted file mode 100755 index 7602152093..0000000000 --- a/packages/windows/0.6.0/data_stream/service/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Windows service metrics -release: experimental -type: metrics -streams: - - input: windows/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - title: Windows service metrics - description: Collect Windows service metrics diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs b/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 10892f3cff..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,1896 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - evt.Delete("winlog.event_data.RuleName"); - - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 24 - ClipboardChange (New content in the clipboard). - var event24 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 25 - ProcessTampering (Process image change). - var event25 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 24: event24.Run, - 25: event25.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs deleted file mode 100755 index 46f74870e9..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,1813 +0,0 @@ -name: Microsoft-Windows-Sysmon/Operational -condition: ${host.platform} == 'windows' -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - evt.Delete("winlog.event_data.RuleName"); - - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 24 - ClipboardChange (New content in the clipboard). - var event24 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 25 - ProcessTampering (Process image change). - var event25 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 24: event24.Run, - 25: event25.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23333704d6..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows Sysmon Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/fields/ecs.yml deleted file mode 100755 index 5b76041236..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/ecs.yml +++ /dev/null @@ -1,492 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: parent.args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - default_field: false - - name: parent.args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: parent.command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: parent.entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: parent.hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: parent.hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: parent.hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false - - name: parent.pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: parent.pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: parent.pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: parent.pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: parent.pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: parent.pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: parent.pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: parent.pid - type: long - format: string - description: Process id. - default_field: false - - name: parent.start - type: date - description: The time the process started. - default_field: false - - name: parent.title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process title.' - default_field: false - - name: pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: pid - type: long - format: string - description: Process id. - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - - name: working_directory - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The working directory of the process. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false -- name: dns - title: DNS - group: 2 - type: group - fields: - - name: answers - type: object - description: 'An array containing an object for each answer section returned by the server.' - - name: answers.class - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - - name: answers.data - type: keyword - ignore_above: 1024 - description: 'The data describing the resource.' - - name: answers.name - type: keyword - ignore_above: 1024 - description: 'The domain name to which this resource record pertains.' - - name: answers.ttl - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - name: answers.type - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - - name: header_flags - type: keyword - ignore_above: 1024 - description: 'Array of 2 letter DNS header flags.' - - name: id - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: op_code - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - - name: question.class - type: keyword - ignore_above: 1024 - description: The class of records being queried. - - name: question.name - type: keyword - ignore_above: 1024 - description: 'The name being queried.' - - name: question.registered_domain - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain.' - - name: question.subdomain - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain.' - - name: question.top_level_domain - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' - - name: question.type - type: keyword - ignore_above: 1024 - description: The type of record being queried. - - name: resolved_ip - type: ip - description: 'Array containing all IPs seen in `answers.data`.' - - name: response_code - type: keyword - ignore_above: 1024 - description: The DNS response code. - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of DNS event captured, query or answer.' -- name: network - title: Network - type: group - fields: - - name: protocol - type: keyword - ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.' -- name: rule - title: Rule - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: The name of the rule or signature generating the event. - default_field: false diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/fields.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/fields/fields.yml deleted file mode 100755 index fe766a8460..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: sysmon.dns.status - type: keyword - description: Windows status code returned for the DNS query. -- name: sysmon.file.archived - type: boolean - description: Indicates if the deleted file was archived. -- name: sysmon.file.is_executable - type: boolean - description: Indicates if the deleted file was an executable. diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/winlog.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.6.0/data_stream/sysmon_operational/manifest.yml b/packages/windows/0.6.0/data_stream/sysmon_operational/manifest.yml deleted file mode 100755 index c88fb5c7a3..0000000000 --- a/packages/windows/0.6.0/data_stream/sysmon_operational/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Sysmon/Operational events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Sysmon Operational - description: 'Collect Microsoft-Windows-Sysmon/Operational channel logs' - - input: httpjson - title: Windows Sysmon Operational Events via Splunk Enterprise REST API - description: Collect Sysmon Operational Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.6.0/docs/README.md b/packages/windows/0.6.0/docs/README.md deleted file mode 100755 index fede825bb3..0000000000 --- a/packages/windows/0.6.0/docs/README.md +++ /dev/null @@ -1,1182 +0,0 @@ -# Windows Integration - -The Windows package allows you to monitor the Windows os, services, applications etc. Because the Windows integration -always applies to the local server, the `hosts` config option is not needed. Note that for 7.11, `security`, `application` and `system` logs have been moved to the system package. - -## Compatibility - -The Windows datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Configuration - -### Splunk Enterprise - -To configure Splunk Enterprise to be able to pull events from it, please visit -[Splunk docs](https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata) for details. **The integration requires events in XML format, for this `renderXml` option needs to be set to `1` in your `inputs.conf`.** - -## Metrics - -### Service - -The Windows `service` dataset provides service details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| windows.service.display_name | The display name of the service. | keyword | -| windows.service.exit_code | For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. | keyword | -| windows.service.id | A unique ID for the service. It is a hash of the machine's GUID and the service name. | keyword | -| windows.service.name | The service name. | keyword | -| windows.service.path_name | Fully qualified path to the file that implements the service, including arguments. | keyword | -| windows.service.pid | For `Running` services this is the associated process PID. | long | -| windows.service.start_name | Account name under which a service runs. | keyword | -| windows.service.start_type | The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. | keyword | -| windows.service.state | The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. | keyword | -| windows.service.uptime.ms | The service's uptime specified in milliseconds. | long | - - - -### Perfmon - -The Windows `perfmon` dataset provides performance counter values. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| windows.perfmon.instance | Instance value. | keyword | -| windows.perfmon.metrics.*.* | Metric values returned. | object | -| windows.perfmon.object | Object value. | keyword | - - - -Both datasets are available on Windows only. - -## Logs - -### Forwarded - -The Windows `forwarded` dataset provides events from the Windows -`ForwardedEvents` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| dns.answers | An array containing an object for each answer section returned by the server. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. | keyword | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.parent.args_count | Length of the process.args array. | long | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.parent.entity_id | Unique identifier for the process. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha512 | SHA512 hash. | keyword | -| process.parent.name | Process name. | keyword | -| process.parent.pe.architecture | CPU architecture target for the file. | keyword | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.title | Process title. | keyword | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.working_directory | The working directory of the process. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | -| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | -| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Powershell - -The Windows `powershell` dataset provides events from the Windows -`Windows PowerShell` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| ecs.version | ECS version | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| source.user.domain | Name of the directory the user is a member of. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Powershell/Operational - -The Windows `powershell_operational` dataset provides events from the Windows -`Microsoft-Windows-PowerShell/Operational` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| ecs.version | ECS version | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| source.user.domain | Name of the directory the user is a member of. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Sysmon/Operational - -The Windows `sysmon_operational` dataset provides events from the Windows -`Microsoft-Windows-Sysmon/Operational` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| dns.answers | An array containing an object for each answer section returned by the server. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. | keyword | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.parent.args_count | Length of the process.args array. | long | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.parent.entity_id | Unique identifier for the process. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha512 | SHA512 hash. | keyword | -| process.parent.name | Process name. | keyword | -| process.parent.pe.architecture | CPU architecture target for the file. | keyword | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.title | Process title. | keyword | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.working_directory | The working directory of the process. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | -| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | -| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/windows/0.6.0/img/logo_windows.svg b/packages/windows/0.6.0/img/logo_windows.svg deleted file mode 100755 index 953b33d8f5..0000000000 --- a/packages/windows/0.6.0/img/logo_windows.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/packages/windows/0.6.0/img/metricbeat-windows-service.png b/packages/windows/0.6.0/img/metricbeat-windows-service.png deleted file mode 100755 index b9437930a9..0000000000 Binary files a/packages/windows/0.6.0/img/metricbeat-windows-service.png and /dev/null differ diff --git a/packages/windows/0.6.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index a1564e6c0d..0000000000 --- a/packages/windows/0.6.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "description": "Overview dashboard for powershell integration.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"w\":8,\"x\":20,\"y\":0},\"panelIndex\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"w\":7,\"x\":28,\"y\":0},\"panelIndex\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"w\":4,\"x\":35,\"y\":0},\"panelIndex\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"w\":4,\"x\":39,\"y\":0},\"panelIndex\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"w\":4,\"x\":43,\"y\":0},\"panelIndex\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"w\":10,\"x\":13,\"y\":6},\"panelIndex\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"w\":12,\"x\":23,\"y\":6},\"panelIndex\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"w\":12,\"x\":35,\"y\":6},\"panelIndex\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"w\":13,\"x\":0,\"y\":8},\"panelIndex\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"w\":12,\"x\":23,\"y\":13},\"panelIndex\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"w\":12,\"x\":35,\"y\":13},\"panelIndex\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"w\":13,\"x\":0,\"y\":16},\"panelIndex\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"w\":10,\"x\":13,\"y\":16},\"panelIndex\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"w\":12,\"x\":23,\"y\":20},\"panelIndex\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"w\":12,\"x\":35,\"y\":20},\"panelIndex\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"w\":47,\"x\":0,\"y\":27},\"panelIndex\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Windows powershell] Overview", - "version": 1 - }, - "id": "windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", - "name": "panel_17", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 2dc240f99d..0000000000 --- a/packages/windows/0.6.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Windows Service States", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.service\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Windows] Services", - "version": 1 - }, - "id": "windows-d9eba730-c991-11e7-9835-2f31fe08873b", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 4eec362f7b..0000000000 --- a/packages/windows/0.6.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.code", - "powershell.engine.version", - "powershell.runspace_id", - "process.args", - "powershell.command.invocation_details", - "powershell.file.script_block_text" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Details [Windows powershell]", - "version": 1 - }, - "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json deleted file mode 100755 index ce978c720f..0000000000 --- a/packages/windows/0.6.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "windows.service.display_name", - "windows.service.state", - "windows.service.start_type", - "windows.service.uptime.ms", - "windows.service.pid", - "windows.service.exit_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"windows.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"windows.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"service\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"service\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"service\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Services [Metrics Windows]", - "version": 1 - }, - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "migrationVersion": { - "search": "7.4.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 04e954c31c..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine versions [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Engine version\",\"field\":\"powershell.engine.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Engine versions [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json deleted file mode 100755 index a1d8795f59..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Hosts [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Hosts [Metrics Windows]\",\"type\":\"table\"}" - }, - "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index c3010746e0..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Unique engine versions [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique versions\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique engine versions [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json deleted file mode 100755 index a67dddfc97..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Services [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Unique Services [Metrics Windows]\",\"type\":\"metric\"}" - }, - "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 89fc1c53f5..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Users [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 30859feacc..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Total engine started [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: 400\"},\"label\":\"\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total engine started [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 05fb357273..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Top active hosts [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[],\"metrics\":[{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top active hosts [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index ea3f28e91a..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Total remote commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"process.title:\\\"ServerRemoteHost\\\" \"},\"label\":\"Remote commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total remote commands [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 20a555f9a3..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine and Command started[Windows powershell]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"*\":\"#EAB839\",\"Engine stopped\":\"#BF1B00\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"400\\\" \"},\"label\":\"Engine started\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4105\\\" \"},\"label\":\"Command started\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"label\":\"filters\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"label\":\"@timestamp per 30 minutes\",\"params\":{\"bounds\":{\"max\":\"2020-05-26T09:14:29.996Z\",\"min\":\"2020-05-25T09:14:29.996Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT30M\",\"intervalESUnit\":\"m\",\"intervalESValue\":30}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"log\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Engine and Command started[Windows powershell]\",\"type\":\"line\"}" - }, - "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 7991892c14..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Total commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"powershell.command.name: * \"},\"label\":\"Commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total commands [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 1c3be90530..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Startup States [Metrics Windows]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Service Count\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Startup States [Metrics Windows]\",\"type\":\"pie\"}" - }, - "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 41e0eb5de2..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Unique hosts [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique hosts [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index f31c109dbd..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Connected users [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"powershell.connected_user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"4\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connected users [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 7c4f2295c8..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"powershell.command.invocation_details.type\",\"negate\":false,\"params\":{\"query\":\"CommandInvocation\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"powershell.command.invocation_details.type\":\"CommandInvocation\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Top Invoked Commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.command.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.command.invocation_details.related_command: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Top Invoked Commands [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 2e83176ae0..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Started providers [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.provider.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.provider.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Started providers [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 298c8a3225..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"windows.service.exit_code\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"0\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR_SERVICE_NEVER_STARTED\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Non-zero Service Exit Codes [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Non-zero Exit Codes\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Non-zero Service Exit Codes [Metrics Windows]\",\"type\":\"metric\"}" - }, - "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index eb31ba6e7b..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Event type [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event type [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 5bc8c71d54..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine versions ran by host [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version count\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Host\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Version count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Engine versions ran by host [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 5fccc4cea5..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Unique users [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique users\",\"field\":\"related.user\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique users [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json b/packages/windows/0.6.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 76751cae17..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Service States [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Latest Report\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Service\",\"field\":\"windows.service.display_name\",\"order\":\"asc\",\"orderBy\":\"_term\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"4-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Service States [Metrics Windows]\",\"type\":\"table\"}" - }, - "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json b/packages/windows/0.6.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 87af19a431..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Host processes [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"process.title\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"process.title: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Host processes [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.6.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index d81f48dce2..0000000000 --- a/packages/windows/0.6.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Event Levels [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"log.level: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Levels [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.6.0/manifest.yml b/packages/windows/0.6.0/manifest.yml deleted file mode 100755 index a190d4544d..0000000000 --- a/packages/windows/0.6.0/manifest.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: windows -title: Windows -version: 0.6.0 -description: Windows Integration -type: integration -categories: - - os_system - - security -icons: - - src: /img/logo_windows.svg - title: logo windows - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -release: experimental -conditions: - kibana.version: '^7.13.0' -screenshots: - - src: /img/metricbeat-windows-service.png - title: metricbeat windows service - size: 3142x1834 - type: image/png -policy_templates: - - name: windows - title: Windows logs and metrics - description: Collect logs and metrics from Windows instances - inputs: - - type: winlog - title: 'Collect events from the following Windows event log channels:' - description: 'Collecting events from Windows event log' - - type: windows/metrics - title: Collect Windows perfmon and service metrics - description: Collecting perfmon and service metrics from Windows instances - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false -owner: - github: elastic/integrations diff --git a/packages/windows/0.7.0/changelog.yml b/packages/windows/0.7.0/changelog.yml deleted file mode 100755 index 6fe38be9ca..0000000000 --- a/packages/windows/0.7.0/changelog.yml +++ /dev/null @@ -1,49 +0,0 @@ -# newer versions go on top -- version: "0.7.0" - changes: - - description: Move Sysmon edge processing to ingest pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/972 -- version: "0.6.0" - changes: - - description: Move PowerShell edge processing to ingest pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/941 -- version: "0.5.2" - changes: - - description: Change Splunk input to use the decode_xml_wineventlog processor. - type: enhancement - link: https://github.com/elastic/integrations/pull/923 -- version: "0.5.1" - changes: - - description: Add support for Sysmon v13 events. - type: enhancement - link: https://github.com/elastic/integrations/pull/913 -- version: "0.5.0" - changes: - - description: Add Splunk input for Winlog data streams. - type: enhancement - link: https://github.com/elastic/integrations/pull/821 -- version: "0.4.3" - changes: - - description: Updating package owner - type: enhancement - link: https://github.com/elastic/integrations/pull/766 - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/877 -- version: "0.4.2" - changes: - - description: Move security data stream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/726 -- version: "0.4.1" - changes: - - description: Fix Guards - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/724 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/91 diff --git a/packages/windows/0.7.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs b/packages/windows/0.7.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs deleted file mode 100755 index cc0186c25b..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,5025 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true - - timestamp: - field: winlog.time_created - layouts: - - '2006-01-02T15:04:05Z' - - '2006-01-02T15:04:05.999Z' - - '2006-01-02T15:04:05.999-07:00' - test: - - '2019-06-22T16:33:51Z' - - '2019-11-18T04:59:51.123Z' - - '2020-08-03T07:10:20.123456+02:00' - - add_fields: - target: '' - fields: - ecs.version: 1.8.0 - - script: - when.equals.winlog.channel: Security - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } - - - script: - when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } - - - script: - when.or: - - equals: - winlog.channel: Windows PowerShell - - equals: - winlog.channel: Microsoft-Windows-PowerShell/Operational - lang: javascript - id: powershell - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - var powershell = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - - var normalizeCommonFieldNames = new processor.Convert({ - fields: [ - { - from: "winlog.event_data.Engine Version", - to: "winlog.event_data.EngineVersion", - }, - { - from: "winlog.event_data.Pipeline ID", - to: "winlog.event_data.PipelineId", - }, - { - from: "winlog.event_data.Runspace ID", - to: "winlog.event_data.RunspaceId", - }, - { - from: "winlog.event_data.Host Version", - to: "winlog.event_data.HostVersion", - }, - { - from: "winlog.event_data.Script Name", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Path", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Command Path", - to: "winlog.event_data.CommandPath", - }, - { - from: "winlog.event_data.Command Name", - to: "winlog.event_data.CommandName", - }, - { - from: "winlog.event_data.Command Type", - to: "winlog.event_data.CommandType", - }, - { - from: "winlog.event_data.User", - to: "winlog.event_data.UserId", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - - // Builds a dissect tokenizer. - // - // - chunks: number of chunks dissect needs to look for. - // - delimiter: indicates what is the delimiter between chunks, - // in addition to `\n` which is already expected. - // - sep: separator between key value pairs. - // - // example: - // For a string like "Foo=Bar\n\tBar=Baz", chunks: 2, delimiter: '\t', sep: '=' - var buildNewlineSpacedTokenizer = function (chunks, delimiter, sep) { - var tokenizer = ""; - for (var i = 0; i < chunks; i++) { - if (i !== 0) { - tokenizer += "\n%{}"; - } - tokenizer += delimiter+"%{*p"+i+"}"+sep+"%{&p"+i+"}"; - } - return tokenizer; - }; - - var dissectField = function (fromField, targetPrefix, chunks, delimiter, sep) { - return new processor.Dissect({ - field: fromField, - target_prefix: targetPrefix, - tokenizer: buildNewlineSpacedTokenizer(chunks, delimiter, sep), - fail_on_error: false, - }); - }; - - // countChunksDelimitedBy will return the number of chunks contained in a field - // that are delimited by the given delimiter. - var countChunksDelimitedBy = function(evt, fromField, delimiter) { - var str = evt.Get(fromField); - if (!str) { - return 0; - } - return str.split(delimiter).length-1; - }; - - var dissect4xxAnd600 = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter); - - dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - evt.Delete("winlog.event_data.param3"); - }; - - var dissect800Detail = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter); - - dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - }; - - var dissect4103 = function (evt) { - var delimiter = " "; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter); - - dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.ContextInfo"); - evt.Delete("winlog.event_data.Severity"); - }; - - var addEngineVersion = function (evt) { - var version = evt.Get("winlog.event_data.EngineVersion"); - evt.Delete("winlog.event_data.EngineVersion"); - if (!version) { - return; - } - - evt.Put("powershell.engine.version", version); - }; - - var addPipelineID = function (evt) { - var id = evt.Get("winlog.event_data.PipelineId"); - evt.Delete("winlog.event_data.PipelineId"); - if (!id) { - return; - } - - evt.Put("powershell.pipeline_id", id); - }; - - var addRunspaceID = function (evt) { - var id = evt.Get("winlog.event_data.RunspaceId"); - evt.Delete("winlog.event_data.RunspaceId"); - if (!id) { - return; - } - - evt.Put("powershell.runspace_id", id); - }; - - var addScriptBlockID = function (evt) { - var id = evt.Get("winlog.event_data.ScriptBlockId"); - evt.Delete("winlog.event_data.ScriptBlockId"); - if (!id) { - return; - } - - evt.Put("powershell.file.script_block_id", id); - }; - - var addScriptBlockText = function (evt) { - var text = evt.Get("winlog.event_data.ScriptBlockText"); - evt.Delete("winlog.event_data.ScriptBlockText"); - if (!text) { - return; - } - - evt.Put("powershell.file.script_block_text", text); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var addProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - var args = evt.Get("process.args"); - if (args && args.length > 0) { - evt.Put("process.args_count", args.length); - } - }; - - var addExecutableVersion = function (evt) { - var version = evt.Get("winlog.event_data.HostVersion"); - evt.Delete("winlog.event_data.HostVersion"); - if (!version) { - return; - } - - evt.Put("powershell.process.executable_version", version); - }; - - var addFileInfo = function (evt) { - var scriptName = evt.Get("winlog.event_data.ScriptName"); - evt.Delete("winlog.event_data.ScriptName"); - if (!scriptName) { - return; - } - - evt.Put("file.path", scriptName); - evt.Put("file.name", path.basename(scriptName)); - evt.Put("file.directory", path.dirname(scriptName)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(scriptName); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var addCommandValue = function (evt) { - var value = evt.Get("winlog.event_data.CommandLine") - evt.Delete("winlog.event_data.CommandLine"); - if (!value) { - return; - } - - evt.Put("powershell.command.value", value.trim()); - }; - - var addCommandPath = function (evt) { - var commandPath = evt.Get("winlog.event_data.CommandPath"); - evt.Delete("winlog.event_data.CommandPath"); - if (!commandPath) { - return; - } - - evt.Put("powershell.command.path", commandPath); - }; - - var addCommandName = function (evt) { - var commandName = evt.Get("winlog.event_data.CommandName"); - evt.Delete("winlog.event_data.CommandName"); - if (!commandName) { - return; - } - - evt.Put("powershell.command.name", commandName); - }; - - var addCommandType = function (evt) { - var commandType = evt.Get("winlog.event_data.CommandType"); - evt.Delete("winlog.event_data.CommandType"); - if (!commandType) { - return; - } - - evt.Put("powershell.command.type", commandType); - }; - - var detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - var parameterBindingRegex = /^.*name\=(.+);\s*value\=(.+)$/ - - // Parses a command invocation detail raw line, and converts it to an object, based on its type. - // - // - for unexpectedly formatted ones: {value: "the raw line as it is"} - // - for all: - // * related_command: describes to what command it is related to - // * value: the value for that detail line - // * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - // - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - var parseRawDetail = function (raw) { - var matches = detailRegex.exec(raw); - if (!matches || matches.length !== 4) { - return {value: raw}; - } - - if (matches[1] !== "ParameterBinding") { - return {type: matches[1], related_command: matches[2], value: matches[3]}; - } - - var nameValMatches = parameterBindingRegex.exec(matches[3]); - if (!nameValMatches || nameValMatches.length !== 3) { - return {value: matches[3]}; - } - - return { - type: matches[1], - related_command: matches[2], - name: nameValMatches[1], - value: nameValMatches[2], - }; - }; - - var addCommandInvocationDetails = function (evt, from) { - var rawDetails = evt.Get(from); - if (!rawDetails) { - return; - } - - var details = []; - rawDetails.split("\n").forEach(function (raw) { - details.push(parseRawDetail(raw)); - }); - - if (details.length === 0) { - return; - } - - evt.Delete(from); - evt.Put("powershell.command.invocation_details", details); - }; - - var addCommandInvocationDetailsForEvent800 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.param3"); - }; - - var addCommandInvocationDetailsForEvent4103 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.Payload"); - }; - - var addUser = function (evt) { - var userParts = evt.Get("winlog.event_data.UserId").split("\\"); - evt.Delete("winlog.event_data.UserId"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var addConnectedUser = function (evt) { - var userParts = evt.Get("winlog.event_data.Connected User").split("\\"); - evt.Delete("winlog.event_data.Connected User"); - if (userParts.length === 2) { - evt.Put("powershell.connected_user.domain", userParts[0]); - if (evt.Get("user.domain")) { - evt.Put("destination.user.domain", evt.Get("user.domain")); - } - evt.Put("source.user.domain", userParts[0]); - evt.Put("user.domain", userParts[0]); - - evt.Put("powershell.connected_user.name", userParts[1]); - if (evt.Get("user.name")) { - evt.Put("destination.user.name", evt.Get("user.name")); - } - evt.Put("source.user.name", userParts[1]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var event4xxAnd600Common = new processor.Chain() - .Add(dissect4xxAnd600) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.NewEngineState", - to: "powershell.engine.new_state", - }, - { - from: "winlog.event_data.PreviousEngineState", - to: "powershell.engine.previous_state", - }, - { - from: "winlog.event_data.NewProviderState", - to: "powershell.provider.new_state", - }, - { - from: "winlog.event_data.ProviderName", - to: "powershell.provider.name", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(removeEmptyEventData) - .Build(); - - var event400 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event403 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event600 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event800 = new processor.Chain() - .Add(dissect800Detail) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - { - from: "winlog.event_data.DetailTotal", - to: "powershell.total", - type: "long", - }, - { - from: "winlog.event_data.DetailSequence", - to: "powershell.sequence", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addCommandInvocationDetailsForEvent800) - .Add(removeEmptyEventData) - .Build(); - - var event4103 = new processor.Chain() - .Add(dissect4103) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.Sequence Number", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.Host ID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.Host Application", - to: "process.command_line", - }, - { - from: "winlog.event_data.Host Name", - to: "process.title", - }, - { - from: "winlog.event_data.Shell ID", - to: "powershell.id", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addConnectedUser) - .Add(addCommandInvocationDetailsForEvent4103) - .Add(removeEmptyEventData) - .Build(); - - var event4104 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.MessageNumber", - to: "powershell.sequence", - type: "long", - }, - { - from: "winlog.event_data.MessageTotal", - to: "powershell.total", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addFileInfo) - .Add(addScriptBlockID) - .Add(addScriptBlockText) - .Add(removeEmptyEventData) - .Build(); - - var event4105And4106Common = new processor.Chain() - .Add(addRunspaceID) - .Add(addScriptBlockID) - .Add(removeEmptyEventData) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Build(); - - var event4105 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Build(); - - var event4106 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Build(); - - return { - 400: event400.Run, - 403: event403.Run, - 600: event600.Run, - 800: event800.Run, - 4103: event4103.Run, - 4104: event4104.Run, - 4105: event4105.Run, - 4106: event4106.Run, - - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "powershell"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return powershell.process(evt); - } diff --git a/packages/windows/0.7.0/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/0.7.0/data_stream/forwarded/agent/stream/winlog.yml.hbs deleted file mode 100755 index 4f0a22e8d2..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,4943 +0,0 @@ -name: ForwardedEvents -condition: ${host.platform} == 'windows' -tags: [forwarded] -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 - - script: - when.equals.winlog.channel: Security - lang: javascript - id: security - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - var security = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - // Logon Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - var logonTypes = { - "2": "Interactive", - "3": "Network", - "4": "Batch", - "5": "Service", - "7": "Unlock", - "8": "NetworkCleartext", - "9": "NewCredentials", - "10": "RemoteInteractive", - "11": "CachedInteractive", - }; - // User Account Control Attributes Table - // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uacFlags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], - ]; - // Kerberos TGT and TGS Ticket Options - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - var ticketOptions = [ - "Reserved", - "Forwardable", - "Forwarded", - "Proxiable", - "Proxy", - "Allow-postdate", - "Postdated", - "Invalid", - "Renewable", - "Initial", - "Pre-authent", - "Opt-hardware-auth", - "Transited-policy-checked", - "Ok-as-delegate", - "Request-anonymous", - "Name-canonicalize", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Unused", - "Disable-transited-check", - "Renewable-ok", - "Enc-tkt-in-skey", - "Unused", - "Renew", - "Validate"]; - // Kerberos Encryption Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var ticketEncryptionTypes = { - "0x1": "DES-CBC-CRC", - "0x3": "DES-CBC-MD5", - "0x11": "AES128-CTS-HMAC-SHA1-96", - "0x12": "AES256-CTS-HMAC-SHA1-96", - "0x17": "RC4-HMAC", - "0x18": "RC4-HMAC-EXP", - "0xffffffff": "FAIL", - }; - // Kerberos Result Status Codes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - var kerberosTktStatusCodes = { - "0x0": "KDC_ERR_NONE", - "0x1": "KDC_ERR_NAME_EXP", - "0x2": "KDC_ERR_SERVICE_EXP", - "0x3": "KDC_ERR_BAD_PVNO", - "0x4": "KDC_ERR_C_OLD_MAST_KVNO", - "0x5": "KDC_ERR_S_OLD_MAST_KVNO", - "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", - "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", - "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", - "0x9": "KDC_ERR_NULL_KEY", - "0xA": "KDC_ERR_CANNOT_POSTDATE", - "0xB": "KDC_ERR_NEVER_VALID", - "0xC": "KDC_ERR_POLICY", - "0xD": "KDC_ERR_BADOPTION", - "0xE": "KDC_ERR_ETYPE_NOTSUPP", - "0xF": "KDC_ERR_SUMTYPE_NOSUPP", - "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", - "0x11": "KDC_ERR_TRTYPE_NO_SUPP", - "0x12": "KDC_ERR_CLIENT_REVOKED", - "0x13": "KDC_ERR_SERVICE_REVOKED", - "0x14": "KDC_ERR_TGT_REVOKED", - "0x15": "KDC_ERR_CLIENT_NOTYET", - "0x16": "KDC_ERR_SERVICE_NOTYET", - "0x17": "KDC_ERR_KEY_EXPIRED", - "0x18": "KDC_ERR_PREAUTH_FAILED", - "0x19": "KDC_ERR_PREAUTH_REQUIRED", - "0x1A": "KDC_ERR_SERVER_NOMATCH", - "0x1B": "KDC_ERR_MUST_USE_USER2USER", - "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", - "0x20": "KRB_AP_ERR_TKT_EXPIRED", - "0x21": "KRB_AP_ERR_TKT_NYV", - "0x22": "KRB_AP_ERR_REPEAT", - "0x23": "KRB_AP_ERR_NOT_US", - "0x24": "KRB_AP_ERR_BADMATCH", - "0x25": "KRB_AP_ERR_SKEW", - "0x26": "KRB_AP_ERR_BADADDR", - "0x27": "KRB_AP_ERR_BADVERSION", - "0x28": "KRB_AP_ERR_MSG_TYPE", - "0x29": "KRB_AP_ERR_MODIFIED", - "0x2A": "KRB_AP_ERR_BADORDER", - "0x2C": "KRB_AP_ERR_BADKEYVER", - "0x2D": "KRB_AP_ERR_NOKEY", - "0x2E": "KRB_AP_ERR_MUT_FAIL", - "0x2F": "KRB_AP_ERR_BADDIRECTION", - "0x30": "KRB_AP_ERR_METHOD", - "0x31": "KRB_AP_ERR_BADSEQ", - "0x32": "KRB_AP_ERR_INAPP_CKSUM", - "0x33": "KRB_AP_PATH_NOT_ACCEPTED", - "0x34": "KRB_ERR_RESPONSE_TOO_BIG", - "0x3C": "KRB_ERR_GENERIC", - "0x3D": "KRB_ERR_FIELD_TOOLONG", - "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", - "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", - "0x40": "KDC_ERR_INVALID_SIG", - "0x41": "KDC_ERR_KEY_TOO_WEAK", - "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", - "0x43": "KRB_AP_ERR_NO_TGT", - "0x44": "KDC_ERR_WRONG_REALM", - }; - // event.category, event.type, event.action - var eventActionTypes = { - "1100": [["process"], ["end"], "logging-service-shutdown"], - "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize - "1104": [["iam"], ["admin"],"logging-full"], - "1105": [["iam"], ["admin"],"auditlog-archieved"], - "1108": [["iam"], ["admin"],"logging-processing-error"], - "4610": [["configuration"], ["access"], "authentication-package-loaded"], - "4611": [["configuration"], ["change"], "trusted-logon-process-registered"], - "4614": [["configuration"], ["access"], "notification-package-loaded"], - "4616": [["configuration"], ["change"], "system-time-changed"], - "4622": [["configuration"], ["access"], "security-package-loaded"], - "4624": [["authentication"], ["start"], "logged-in"], - "4625": [["authentication"], ["start"], "logon-failed"], - "4634": [["authentication"], ["end"], "logged-out"], - "4647": [["authentication"], ["end"], "logged-out"], - "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], - "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], - "4672": [["iam"], ["admin"], "logged-in-special"], - "4673": [["iam"], ["admin"], "privileged-service-called"], - "4674": [["iam"], ["admin"], "privileged-operation"], - "4688": [["process"], ["start"], "created-process"], - "4689": [["process"], ["end"], "exited-process"], - "4697": [["iam", "configuration"], ["admin", "change"],"service-installed"], // remove iam and admin - "4698": [["iam", "configuration"], ["creation", "admin"], "scheduled-task-created"], // remove iam and admin - "4699": [["iam", "configuration"], ["deletion", "admin"], "scheduled-task-deleted"], // remove iam and admin - "4700": [["iam", "configuration"], ["change", "admin"], "scheduled-task-enabled"], // remove iam and admin - "4701": [["iam", "configuration"], ["change", "admin"], "scheduled-task-disabled"], // remove iam and admin - "4702": [["iam", "configuration"], ["change", "admin"], "scheduled-task-updated"], // remove iam and admin - "4706": [["configuration"], ["creation"], "domain-trust-added"], - "4707": [["configuration"], ["deletion"], "domain-trust-removed"], - "4713": [["configuration"], ["change"], "kerberos-policy-changed"], - "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], - "4715": [["configuration"], ["change"], "object-audit-policy-changed"], - "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], - "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], - "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], - "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin - "4720": [["iam"], ["user", "creation"], "added-user-account"], - "4722": [["iam"], ["user", "change"], "enabled-user-account"], - "4723": [["iam"], ["user", "change"], "changed-password"], - "4724": [["iam"], ["user", "change"], "reset-password"], - "4725": [["iam"], ["user", "deletion"], "disabled-user-account"], - "4726": [["iam"], ["user", "deletion"], "deleted-user-account"], - "4727": [["iam"], ["group", "creation"], "added-group-account"], - "4728": [["iam"], ["group", "change"], "added-member-to-group"], - "4729": [["iam"], ["group", "change"], "removed-member-from-group"], - "4730": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4731": [["iam"], ["group", "creation"], "added-group-account"], - "4732": [["iam"], ["group", "change"], "added-member-to-group"], - "4733": [["iam"], ["group", "change"], "removed-member-from-group"], - "4734": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4735": [["iam"], ["group", "change"], "modified-group-account"], - "4737": [["iam"], ["group", "change"], "modified-group-account"], - "4738": [["iam"], ["user", "change"], "modified-user-account"], - "4739": [["configuration"], ["change"], "domain-policy-changed"], - "4740": [["iam"], ["user", "change"], "locked-out-user-account"], - "4741": [["iam"], ["creation", "admin"], "added-computer-account"], // remove admin - "4742": [["iam"], ["change", "admin"], "changed-computer-account"], // remove admin - "4743": [["iam"], ["deletion", "admin"], "deleted-computer-account"], // remove admin - "4744": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4745": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4746": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4747": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4748": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4749": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4750": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4751": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4752": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4753": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4754": [["iam"], ["group", "creation"], "added-group-account"], - "4755": [["iam"], ["group", "change"], "modified-group-account"], - "4756": [["iam"], ["group", "change"], "added-member-to-group"], - "4757": [["iam"], ["group", "change"], "removed-member-from-group"], - "4758": [["iam"], ["group", "deletion"], "deleted-group-account"], - "4759": [["iam"], ["group", "creation"], "added-distribution-group-account"], - "4760": [["iam"], ["group", "change"], "changed-distribution-group-account"], - "4761": [["iam"], ["group", "change"], "added-member-to-distribution-group"], - "4762": [["iam"], ["group", "change"], "removed-member-from-distribution-group"], - "4763": [["iam"], ["group", "deletion"], "deleted-distribution-group-account"], - "4764": [["iam"], ["group", "change"], "type-changed-group-account"], - "4767": [["iam"], ["user", "change"], "unlocked-user-account"], - "4768": [["authentication"], ["start"], "kerberos-authentication-ticket-requested"], - "4769": [["authentication"], ["start"], "kerberos-service-ticket-requested"], - "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], - "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], - "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication", "session"], ["start"], "session-reconnected"], - "4779": [["authentication", "session"], ["end"], "session-disconnected"], - "4781": [["iam"], ["user", "change"], "renamed-user-account"], - "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs - "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], - "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], - "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], - "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], - "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], - "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], - "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], - "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], - "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], - "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], - "4964": [["iam"], ["admin", "group"], "logged-in-special"], - "5024": [["process"], ["start"], "windows-firewall-service-started"], - "5025": [["process"], ["end"], "windows-firewall-service-stopped"], - "5033": [["driver"], ["start"], "windows-firewall-driver-started"], - "5034": [["driver"], ["end"], "windows-firewall-driver-stopped"], - "5037": [["driver"], ["end"], "windows-firewall-driver-error"], - }; - // Services Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - var serviceTypes = { - "0x1": "Kernel Driver", - "0x2": "File System Driver", - "0x8": "Recognizer Driver", - "0x10": "Win32 Own Process", - "0x20": "Win32 Share Process", - "0x110": "Interactive Own Process", - "0x120": "Interactive Share Process", - }; - // Audit Categories Description - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], - }; - // Descriptions of failure status codes. - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - var logonFailureStatus = { - "0xc000005e": "There are currently no logon servers available to service the logon request.", - "0xc0000064": "User logon with misspelled or bad user account", - "0xc000006a": "User logon with misspelled or bad password", - "0xc000006d": "This is either due to a bad username or authentication information", - "0xc000006e": "Unknown user name or bad password.", - "0xc000006f": "User logon outside authorized hours", - "0xc0000070": "User logon from unauthorized workstation", - "0xc0000071": "User logon with expired password", - "0xc0000072": "User logon to account disabled by administrator", - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation.", - "0xc0000133": "Clocks between DC and other computer too far out of sync", - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine", - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.", - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started.", - "0xc0000193": "User logon with expired account", - "0xc0000224": "User is required to change password at next logon", - "0xc0000225": "Evidently a bug in Windows and not a risk", - "0xc0000234": "User logon with account locked", - "0xc00002ee": "Failure Reason: An Error occurred during Logon", - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", - "0xc0000371": "The local account store does not contain secret material for the specified account", - "0x0": "Status OK.", - }; - // Message table extracted from msobjs.dll on Windows 2019. - // https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - var msobjsMessageTable = { - "279": "Undefined Access (no effect) Bit 7", - "1536": "Unused message ID", - "1537": "DELETE", - "1538": "READ_CONTROL", - "1539": "WRITE_DAC", - "1540": "WRITE_OWNER", - "1541": "SYNCHRONIZE", - "1542": "ACCESS_SYS_SEC", - "1543": "MAX_ALLOWED", - "1552": "Unknown specific access (bit 0)", - "1553": "Unknown specific access (bit 1)", - "1554": "Unknown specific access (bit 2)", - "1555": "Unknown specific access (bit 3)", - "1556": "Unknown specific access (bit 4)", - "1557": "Unknown specific access (bit 5)", - "1558": "Unknown specific access (bit 6)", - "1559": "Unknown specific access (bit 7)", - "1560": "Unknown specific access (bit 8)", - "1561": "Unknown specific access (bit 9)", - "1562": "Unknown specific access (bit 10)", - "1563": "Unknown specific access (bit 11)", - "1564": "Unknown specific access (bit 12)", - "1565": "Unknown specific access (bit 13)", - "1566": "Unknown specific access (bit 14)", - "1567": "Unknown specific access (bit 15)", - "1601": "Not used", - "1603": "Assign Primary Token Privilege", - "1604": "Lock Memory Privilege", - "1605": "Increase Memory Quota Privilege", - "1606": "Unsolicited Input Privilege", - "1607": "Trusted Computer Base Privilege", - "1608": "Security Privilege", - "1609": "Take Ownership Privilege", - "1610": "Load/Unload Driver Privilege", - "1611": "Profile System Privilege", - "1612": "Set System Time Privilege", - "1613": "Profile Single Process Privilege", - "1614": "Increment Base Priority Privilege", - "1615": "Create Pagefile Privilege", - "1616": "Create Permanent Object Privilege", - "1617": "Backup Privilege", - "1618": "Restore From Backup Privilege", - "1619": "Shutdown System Privilege", - "1620": "Debug Privilege", - "1621": "View or Change Audit Log Privilege", - "1622": "Change Hardware Environment Privilege", - "1623": "Change Notify (and Traverse) Privilege", - "1624": "Remotely Shut System Down Privilege", - "1792": "", - "1794": "", - "1795": "Enabled", - "1796": "Disabled", - "1797": "All", - "1798": "None", - "1799": "Audit Policy query/set API Operation", - "1800": "", - "1801": "Granted by", - "1802": "Denied by", - "1803": "Denied by Integrity Policy check", - "1804": "Granted by Ownership", - "1805": "Not granted", - "1806": "Granted by NULL DACL", - "1807": "Denied by Empty DACL", - "1808": "Granted by NULL Security Descriptor", - "1809": "Unknown or unchecked", - "1810": "Not granted due to missing", - "1811": "Granted by ACE on parent folder", - "1812": "Denied by ACE on parent folder", - "1813": "Granted by Central Access Rule", - "1814": "NOT Granted by Central Access Rule", - "1815": "Granted by parent folder's Central Access Rule", - "1816": "NOT Granted by parent folder's Central Access Rule", - "1817": "Unknown Type", - "1818": "String", - "1819": "Unsigned 64-bit Integer", - "1820": "64-bit Integer", - "1821": "FQBN", - "1822": "Blob", - "1823": "Sid", - "1824": "Boolean", - "1825": "TRUE", - "1826": "FALSE", - "1827": "Invalid", - "1828": "an ACE too long to display", - "1829": "a Security Descriptor too long to display", - "1830": "Not granted to AppContainers", - "1831": "...", - "1832": "Identification", - "1833": "Impersonation", - "1840": "Delegation", - "1841": "Denied by Process Trust Label ACE", - "1842": "Yes", - "1843": "No", - "1844": "System", - "1845": "Not Available", - "1846": "Default", - "1847": "DisallowMmConfig", - "1848": "Off", - "1849": "Auto", - "1872": "REG_NONE", - "1873": "REG_SZ", - "1874": "REG_EXPAND_SZ", - "1875": "REG_BINARY", - "1876": "REG_DWORD", - "1877": "REG_DWORD_BIG_ENDIAN", - "1878": "REG_LINK", - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)", - "1880": "REG_RESOURCE_LIST", - "1881": "REG_FULL_RESOURCE_DESCRIPTOR", - "1882": "REG_RESOURCE_REQUIREMENTS_LIST", - "1883": "REG_QWORD", - "1904": "New registry value created", - "1905": "Existing registry value modified", - "1906": "Registry value deleted", - "1920": "Sunday", - "1921": "Monday", - "1922": "Tuesday", - "1923": "Wednesday", - "1924": "Thursday", - "1925": "Friday", - "1926": "Saturday", - "1936": "TokenElevationTypeDefault (1)", - "1937": "TokenElevationTypeFull (2)", - "1938": "TokenElevationTypeLimited (3)", - "2048": "Account Enabled", - "2049": "Home Directory Required' - Disabled", - "2050": "Password Not Required' - Disabled", - "2051": "Temp Duplicate Account' - Disabled", - "2052": "Normal Account' - Disabled", - "2053": "MNS Logon Account' - Disabled", - "2054": "Interdomain Trust Account' - Disabled", - "2055": "Workstation Trust Account' - Disabled", - "2056": "Server Trust Account' - Disabled", - "2057": "Don't Expire Password' - Disabled", - "2058": "Account Unlocked", - "2059": "Encrypted Text Password Allowed' - Disabled", - "2060": "Smartcard Required' - Disabled", - "2061": "Trusted For Delegation' - Disabled", - "2062": "Not Delegated' - Disabled", - "2063": "Use DES Key Only' - Disabled", - "2064": "Don't Require Preauth' - Disabled", - "2065": "Password Expired' - Disabled", - "2066": "Trusted To Authenticate For Delegation' - Disabled", - "2067": "Exclude Authorization Information' - Disabled", - "2068": "Undefined UserAccountControl Bit 20' - Disabled", - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled", - "2070": "Undefined UserAccountControl Bit 22' - Disabled", - "2071": "Undefined UserAccountControl Bit 23' - Disabled", - "2072": "Undefined UserAccountControl Bit 24' - Disabled", - "2073": "Undefined UserAccountControl Bit 25' - Disabled", - "2074": "Undefined UserAccountControl Bit 26' - Disabled", - "2075": "Undefined UserAccountControl Bit 27' - Disabled", - "2076": "Undefined UserAccountControl Bit 28' - Disabled", - "2077": "Undefined UserAccountControl Bit 29' - Disabled", - "2078": "Undefined UserAccountControl Bit 30' - Disabled", - "2079": "Undefined UserAccountControl Bit 31' - Disabled", - "2080": "Account Disabled", - "2081": "Home Directory Required' - Enabled", - "2082": "Password Not Required' - Enabled", - "2083": "Temp Duplicate Account' - Enabled", - "2084": "Normal Account' - Enabled", - "2085": "MNS Logon Account' - Enabled", - "2086": "Interdomain Trust Account' - Enabled", - "2087": "Workstation Trust Account' - Enabled", - "2088": "Server Trust Account' - Enabled", - "2089": "Don't Expire Password' - Enabled", - "2090": "Account Locked", - "2091": "Encrypted Text Password Allowed' - Enabled", - "2092": "Smartcard Required' - Enabled", - "2093": "Trusted For Delegation' - Enabled", - "2094": "Not Delegated' - Enabled", - "2095": "Use DES Key Only' - Enabled", - "2096": "Don't Require Preauth' - Enabled", - "2097": "Password Expired' - Enabled", - "2098": "Trusted To Authenticate For Delegation' - Enabled", - "2099": "Exclude Authorization Information' - Enabled", - "2100": "Undefined UserAccountControl Bit 20' - Enabled", - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled", - "2102": "Undefined UserAccountControl Bit 22' - Enabled", - "2103": "Undefined UserAccountControl Bit 23' - Enabled", - "2104": "Undefined UserAccountControl Bit 24' - Enabled", - "2105": "Undefined UserAccountControl Bit 25' - Enabled", - "2106": "Undefined UserAccountControl Bit 26' - Enabled", - "2107": "Undefined UserAccountControl Bit 27' - Enabled", - "2108": "Undefined UserAccountControl Bit 28' - Enabled", - "2109": "Undefined UserAccountControl Bit 29' - Enabled", - "2110": "Undefined UserAccountControl Bit 30' - Enabled", - "2111": "Undefined UserAccountControl Bit 31' - Enabled", - "2304": "An Error occured during Logon.", - "2305": "The specified user account has expired.", - "2306": "The NetLogon component is not active.", - "2307": "Account locked out.", - "2308": "The user has not been granted the requested logon type at this machine.", - "2309": "The specified account's password has expired.", - "2310": "Account currently disabled.", - "2311": "Account logon time restriction violation.", - "2312": "User not allowed to logon at this computer.", - "2313": "Unknown user name or bad password.", - "2314": "Domain sid inconsistent.", - "2315": "Smartcard logon is required and was not used.", - "2432": "Not Available.", - "2436": "Random number generator failure.", - "2437": "Random number generation failed FIPS-140 pre-hash check.", - "2438": "Failed to zero secret data.", - "2439": "Key failed pair wise consistency check.", - "2448": "Failed to unprotect persistent cryptographic key.", - "2449": "Key export checks failed.", - "2450": "Validation of public key failed.", - "2451": "Signature verification failed.", - "2456": "Open key file.", - "2457": "Delete key file.", - "2458": "Read persisted key from file.", - "2459": "Write persisted key to file.", - "2464": "Export of persistent cryptographic key.", - "2465": "Import of persistent cryptographic key.", - "2480": "Open Key.", - "2481": "Create Key.", - "2482": "Delete Key.", - "2483": "Encrypt.", - "2484": "Decrypt.", - "2485": "Sign hash.", - "2486": "Secret agreement.", - "2487": "Domain settings", - "2488": "Local settings", - "2489": "Add provider.", - "2490": "Remove provider.", - "2491": "Add context.", - "2492": "Remove context.", - "2493": "Add function.", - "2494": "Remove function.", - "2495": "Add function provider.", - "2496": "Remove function provider.", - "2497": "Add function property.", - "2498": "Remove function property.", - "2499": "Machine key.", - "2500": "User key.", - "2501": "Key Derivation.", - "4352": "Device Access Bit 0", - "4353": "Device Access Bit 1", - "4354": "Device Access Bit 2", - "4355": "Device Access Bit 3", - "4356": "Device Access Bit 4", - "4357": "Device Access Bit 5", - "4358": "Device Access Bit 6", - "4359": "Device Access Bit 7", - "4360": "Device Access Bit 8", - "4361": "Undefined Access (no effect) Bit 9", - "4362": "Undefined Access (no effect) Bit 10", - "4363": "Undefined Access (no effect) Bit 11", - "4364": "Undefined Access (no effect) Bit 12", - "4365": "Undefined Access (no effect) Bit 13", - "4366": "Undefined Access (no effect) Bit 14", - "4367": "Undefined Access (no effect) Bit 15", - "4368": "Query directory", - "4369": "Traverse", - "4370": "Create object in directory", - "4371": "Create sub-directory", - "4372": "Undefined Access (no effect) Bit 4", - "4373": "Undefined Access (no effect) Bit 5", - "4374": "Undefined Access (no effect) Bit 6", - "4375": "Undefined Access (no effect) Bit 7", - "4376": "Undefined Access (no effect) Bit 8", - "4377": "Undefined Access (no effect) Bit 9", - "4378": "Undefined Access (no effect) Bit 10", - "4379": "Undefined Access (no effect) Bit 11", - "4380": "Undefined Access (no effect) Bit 12", - "4381": "Undefined Access (no effect) Bit 13", - "4382": "Undefined Access (no effect) Bit 14", - "4383": "Undefined Access (no effect) Bit 15", - "4384": "Query event state", - "4385": "Modify event state", - "4386": "Undefined Access (no effect) Bit 2", - "4387": "Undefined Access (no effect) Bit 3", - "4388": "Undefined Access (no effect) Bit 4", - "4389": "Undefined Access (no effect) Bit 5", - "4390": "Undefined Access (no effect) Bit 6", - "4391": "Undefined Access (no effect) Bit 7", - "4392": "Undefined Access (no effect) Bit 8", - "4393": "Undefined Access (no effect) Bit 9", - "4394": "Undefined Access (no effect) Bit 10", - "4395": "Undefined Access (no effect) Bit 11", - "4396": "Undefined Access (no effect) Bit 12", - "4397": "Undefined Access (no effect) Bit 13", - "4398": "Undefined Access (no effect) Bit 14", - "4399": "Undefined Access (no effect) Bit 15", - "4416": "ReadData (or ListDirectory)", - "4417": "WriteData (or AddFile)", - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)", - "4419": "ReadEA", - "4420": "WriteEA", - "4421": "Execute/Traverse", - "4422": "DeleteChild", - "4423": "ReadAttributes", - "4424": "WriteAttributes", - "4425": "Undefined Access (no effect) Bit 9", - "4426": "Undefined Access (no effect) Bit 10", - "4427": "Undefined Access (no effect) Bit 11", - "4428": "Undefined Access (no effect) Bit 12", - "4429": "Undefined Access (no effect) Bit 13", - "4430": "Undefined Access (no effect) Bit 14", - "4431": "Undefined Access (no effect) Bit 15", - "4432": "Query key value", - "4433": "Set key value", - "4434": "Create sub-key", - "4435": "Enumerate sub-keys", - "4436": "Notify about changes to keys", - "4437": "Create Link", - "4438": "Undefined Access (no effect) Bit 6", - "4439": "Undefined Access (no effect) Bit 7", - "4440": "Enable 64(or 32) bit application to open 64 bit key", - "4441": "Enable 64(or 32) bit application to open 32 bit key", - "4442": "Undefined Access (no effect) Bit 10", - "4443": "Undefined Access (no effect) Bit 11", - "4444": "Undefined Access (no effect) Bit 12", - "4445": "Undefined Access (no effect) Bit 13", - "4446": "Undefined Access (no effect) Bit 14", - "4447": "Undefined Access (no effect) Bit 15", - "4448": "Query mutant state", - "4449": "Undefined Access (no effect) Bit 1", - "4450": "Undefined Access (no effect) Bit 2", - "4451": "Undefined Access (no effect) Bit 3", - "4452": "Undefined Access (no effect) Bit 4", - "4453": "Undefined Access (no effect) Bit 5", - "4454": "Undefined Access (no effect) Bit 6", - "4455": "Undefined Access (no effect) Bit 7", - "4456": "Undefined Access (no effect) Bit 8", - "4457": "Undefined Access (no effect) Bit 9", - "4458": "Undefined Access (no effect) Bit 10", - "4459": "Undefined Access (no effect) Bit 11", - "4460": "Undefined Access (no effect) Bit 12", - "4461": "Undefined Access (no effect) Bit 13", - "4462": "Undefined Access (no effect) Bit 14", - "4463": "Undefined Access (no effect) Bit 15", - "4464": "Communicate using port", - "4465": "Undefined Access (no effect) Bit 1", - "4466": "Undefined Access (no effect) Bit 2", - "4467": "Undefined Access (no effect) Bit 3", - "4468": "Undefined Access (no effect) Bit 4", - "4469": "Undefined Access (no effect) Bit 5", - "4470": "Undefined Access (no effect) Bit 6", - "4471": "Undefined Access (no effect) Bit 7", - "4472": "Undefined Access (no effect) Bit 8", - "4473": "Undefined Access (no effect) Bit 9", - "4474": "Undefined Access (no effect) Bit 10", - "4475": "Undefined Access (no effect) Bit 11", - "4476": "Undefined Access (no effect) Bit 12", - "4477": "Undefined Access (no effect) Bit 13", - "4478": "Undefined Access (no effect) Bit 14", - "4479": "Undefined Access (no effect) Bit 15", - "4480": "Force process termination", - "4481": "Create new thread in process", - "4482": "Set process session ID", - "4483": "Perform virtual memory operation", - "4484": "Read from process memory", - "4485": "Write to process memory", - "4486": "Duplicate handle into or out of process", - "4487": "Create a subprocess of process", - "4488": "Set process quotas", - "4489": "Set process information", - "4490": "Query process information", - "4491": "Set process termination port", - "4492": "Undefined Access (no effect) Bit 12", - "4493": "Undefined Access (no effect) Bit 13", - "4494": "Undefined Access (no effect) Bit 14", - "4495": "Undefined Access (no effect) Bit 15", - "4496": "Control profile", - "4497": "Undefined Access (no effect) Bit 1", - "4498": "Undefined Access (no effect) Bit 2", - "4499": "Undefined Access (no effect) Bit 3", - "4500": "Undefined Access (no effect) Bit 4", - "4501": "Undefined Access (no effect) Bit 5", - "4502": "Undefined Access (no effect) Bit 6", - "4503": "Undefined Access (no effect) Bit 7", - "4504": "Undefined Access (no effect) Bit 8", - "4505": "Undefined Access (no effect) Bit 9", - "4506": "Undefined Access (no effect) Bit 10", - "4507": "Undefined Access (no effect) Bit 11", - "4508": "Undefined Access (no effect) Bit 12", - "4509": "Undefined Access (no effect) Bit 13", - "4510": "Undefined Access (no effect) Bit 14", - "4511": "Undefined Access (no effect) Bit 15", - "4512": "Query section state", - "4513": "Map section for write", - "4514": "Map section for read", - "4515": "Map section for execute", - "4516": "Extend size", - "4517": "Undefined Access (no effect) Bit 5", - "4518": "Undefined Access (no effect) Bit 6", - "4519": "Undefined Access (no effect) Bit 7", - "4520": "Undefined Access (no effect) Bit 8", - "4521": "Undefined Access (no effect) Bit 9", - "4522": "Undefined Access (no effect) Bit 10", - "4523": "Undefined Access (no effect) Bit 11", - "4524": "Undefined Access (no effect) Bit 12", - "4525": "Undefined Access (no effect) Bit 13", - "4526": "Undefined Access (no effect) Bit 14", - "4527": "Undefined Access (no effect) Bit 15", - "4528": "Query semaphore state", - "4529": "Modify semaphore state", - "4530": "Undefined Access (no effect) Bit 2", - "4531": "Undefined Access (no effect) Bit 3", - "4532": "Undefined Access (no effect) Bit 4", - "4533": "Undefined Access (no effect) Bit 5", - "4534": "Undefined Access (no effect) Bit 6", - "4535": "Undefined Access (no effect) Bit 7", - "4536": "Undefined Access (no effect) Bit 8", - "4537": "Undefined Access (no effect) Bit 9", - "4538": "Undefined Access (no effect) Bit 10", - "4539": "Undefined Access (no effect) Bit 11", - "4540": "Undefined Access (no effect) Bit 12", - "4541": "Undefined Access (no effect) Bit 13", - "4542": "Undefined Access (no effect) Bit 14", - "4543": "Undefined Access (no effect) Bit 15", - "4544": "Use symbolic link", - "4545": "Undefined Access (no effect) Bit 1", - "4546": "Undefined Access (no effect) Bit 2", - "4547": "Undefined Access (no effect) Bit 3", - "4548": "Undefined Access (no effect) Bit 4", - "4549": "Undefined Access (no effect) Bit 5", - "4550": "Undefined Access (no effect) Bit 6", - "4551": "Undefined Access (no effect) Bit 7", - "4552": "Undefined Access (no effect) Bit 8", - "4553": "Undefined Access (no effect) Bit 9", - "4554": "Undefined Access (no effect) Bit 10", - "4555": "Undefined Access (no effect) Bit 11", - "4556": "Undefined Access (no effect) Bit 12", - "4557": "Undefined Access (no effect) Bit 13", - "4558": "Undefined Access (no effect) Bit 14", - "4559": "Undefined Access (no effect) Bit 15", - "4560": "Force thread termination", - "4561": "Suspend or resume thread", - "4562": "Send an alert to thread", - "4563": "Get thread context", - "4564": "Set thread context", - "4565": "Set thread information", - "4566": "Query thread information", - "4567": "Assign a token to the thread", - "4568": "Cause thread to directly impersonate another thread", - "4569": "Directly impersonate this thread", - "4570": "Undefined Access (no effect) Bit 10", - "4571": "Undefined Access (no effect) Bit 11", - "4572": "Undefined Access (no effect) Bit 12", - "4573": "Undefined Access (no effect) Bit 13", - "4574": "Undefined Access (no effect) Bit 14", - "4575": "Undefined Access (no effect) Bit 15", - "4576": "Query timer state", - "4577": "Modify timer state", - "4578": "Undefined Access (no effect) Bit 2", - "4579": "Undefined Access (no effect) Bit 3", - "4580": "Undefined Access (no effect) Bit 4", - "4581": "Undefined Access (no effect) Bit 5", - "4582": "Undefined Access (no effect) Bit 6", - "4584": "Undefined Access (no effect) Bit 8", - "4585": "Undefined Access (no effect) Bit 9", - "4586": "Undefined Access (no effect) Bit 10", - "4587": "Undefined Access (no effect) Bit 11", - "4588": "Undefined Access (no effect) Bit 12", - "4589": "Undefined Access (no effect) Bit 13", - "4590": "Undefined Access (no effect) Bit 14", - "4591": "Undefined Access (no effect) Bit 15", - "4592": "AssignAsPrimary", - "4593": "Duplicate", - "4594": "Impersonate", - "4595": "Query", - "4596": "QuerySource", - "4597": "AdjustPrivileges", - "4598": "AdjustGroups", - "4599": "AdjustDefaultDacl", - "4600": "AdjustSessionID", - "4601": "Undefined Access (no effect) Bit 9", - "4602": "Undefined Access (no effect) Bit 10", - "4603": "Undefined Access (no effect) Bit 11", - "4604": "Undefined Access (no effect) Bit 12", - "4605": "Undefined Access (no effect) Bit 13", - "4606": "Undefined Access (no effect) Bit 14", - "4607": "Undefined Access (no effect) Bit 15", - "4608": "Create instance of object type", - "4609": "Undefined Access (no effect) Bit 1", - "4610": "Undefined Access (no effect) Bit 2", - "4611": "Undefined Access (no effect) Bit 3", - "4612": "Undefined Access (no effect) Bit 4", - "4613": "Undefined Access (no effect) Bit 5", - "4614": "Undefined Access (no effect) Bit 6", - "4615": "Undefined Access (no effect) Bit 7", - "4616": "Undefined Access (no effect) Bit 8", - "4617": "Undefined Access (no effect) Bit 9", - "4618": "Undefined Access (no effect) Bit 10", - "4619": "Undefined Access (no effect) Bit 11", - "4620": "Undefined Access (no effect) Bit 12", - "4621": "Undefined Access (no effect) Bit 13", - "4622": "Undefined Access (no effect) Bit 14", - "4623": "Undefined Access (no effect) Bit 15", - "4864": "Query State", - "4865": "Modify State", - "5120": "Channel read message", - "5121": "Channel write message", - "5122": "Channel query information", - "5123": "Channel set information", - "5124": "Undefined Access (no effect) Bit 4", - "5125": "Undefined Access (no effect) Bit 5", - "5126": "Undefined Access (no effect) Bit 6", - "5127": "Undefined Access (no effect) Bit 7", - "5128": "Undefined Access (no effect) Bit 8", - "5129": "Undefined Access (no effect) Bit 9", - "5130": "Undefined Access (no effect) Bit 10", - "5131": "Undefined Access (no effect) Bit 11", - "5132": "Undefined Access (no effect) Bit 12", - "5133": "Undefined Access (no effect) Bit 13", - "5134": "Undefined Access (no effect) Bit 14", - "5135": "Undefined Access (no effect) Bit 15", - "5136": "Assign process", - "5137": "Set Attributes", - "5138": "Query Attributes", - "5139": "Terminate Job", - "5140": "Set Security Attributes", - "5141": "Undefined Access (no effect) Bit 5", - "5142": "Undefined Access (no effect) Bit 6", - "5143": "Undefined Access (no effect) Bit 7", - "5144": "Undefined Access (no effect) Bit 8", - "5145": "Undefined Access (no effect) Bit 9", - "5146": "Undefined Access (no effect) Bit 10", - "5147": "Undefined Access (no effect) Bit 11", - "5148": "Undefined Access (no effect) Bit 12", - "5149": "Undefined Access (no effect) Bit 13", - "5150": "Undefined Access (no effect) Bit 14", - "5151": "Undefined Access (no effect) Bit 15", - "5376": "ConnectToServer", - "5377": "ShutdownServer", - "5378": "InitializeServer", - "5379": "CreateDomain", - "5380": "EnumerateDomains", - "5381": "LookupDomain", - "5382": "Undefined Access (no effect) Bit 6", - "5383": "Undefined Access (no effect) Bit 7", - "5384": "Undefined Access (no effect) Bit 8", - "5385": "Undefined Access (no effect) Bit 9", - "5386": "Undefined Access (no effect) Bit 10", - "5387": "Undefined Access (no effect) Bit 11", - "5388": "Undefined Access (no effect) Bit 12", - "5389": "Undefined Access (no effect) Bit 13", - "5390": "Undefined Access (no effect) Bit 14", - "5391": "Undefined Access (no effect) Bit 15", - "5392": "ReadPasswordParameters", - "5393": "WritePasswordParameters", - "5394": "ReadOtherParameters", - "5395": "WriteOtherParameters", - "5396": "CreateUser", - "5397": "CreateGlobalGroup", - "5398": "CreateLocalGroup", - "5399": "GetLocalGroupMembership", - "5400": "ListAccounts", - "5401": "LookupIDs", - "5402": "AdministerServer", - "5403": "Undefined Access (no effect) Bit 11", - "5404": "Undefined Access (no effect) Bit 12", - "5405": "Undefined Access (no effect) Bit 13", - "5406": "Undefined Access (no effect) Bit 14", - "5407": "Undefined Access (no effect) Bit 15", - "5408": "ReadInformation", - "5409": "WriteAccount", - "5410": "AddMember", - "5411": "RemoveMember", - "5412": "ListMembers", - "5413": "Undefined Access (no effect) Bit 5", - "5414": "Undefined Access (no effect) Bit 6", - "5415": "Undefined Access (no effect) Bit 7", - "5416": "Undefined Access (no effect) Bit 8", - "5417": "Undefined Access (no effect) Bit 9", - "5418": "Undefined Access (no effect) Bit 10", - "5419": "Undefined Access (no effect) Bit 11", - "5420": "Undefined Access (no effect) Bit 12", - "5421": "Undefined Access (no effect) Bit 13", - "5422": "Undefined Access (no effect) Bit 14", - "5423": "Undefined Access (no effect) Bit 15", - "5424": "AddMember", - "5425": "RemoveMember", - "5426": "ListMembers", - "5427": "ReadInformation", - "5428": "WriteAccount", - "5429": "Undefined Access (no effect) Bit 5", - "5430": "Undefined Access (no effect) Bit 6", - "5431": "Undefined Access (no effect) Bit 7", - "5432": "Undefined Access (no effect) Bit 8", - "5433": "Undefined Access (no effect) Bit 9", - "5434": "Undefined Access (no effect) Bit 10", - "5435": "Undefined Access (no effect) Bit 11", - "5436": "Undefined Access (no effect) Bit 12", - "5437": "Undefined Access (no effect) Bit 13", - "5438": "Undefined Access (no effect) Bit 14", - "5439": "Undefined Access (no effect) Bit 15", - "5440": "ReadGeneralInformation", - "5441": "ReadPreferences", - "5442": "WritePreferences", - "5443": "ReadLogon", - "5444": "ReadAccount", - "5445": "WriteAccount", - "5446": "ChangePassword (with knowledge of old password)", - "5447": "SetPassword (without knowledge of old password)", - "5448": "ListGroups", - "5449": "ReadGroupMembership", - "5450": "ChangeGroupMembership", - "5451": "Undefined Access (no effect) Bit 11", - "5452": "Undefined Access (no effect) Bit 12", - "5453": "Undefined Access (no effect) Bit 13", - "5454": "Undefined Access (no effect) Bit 14", - "5455": "Undefined Access (no effect) Bit 15", - "5632": "View non-sensitive policy information", - "5633": "View system audit requirements", - "5634": "Get sensitive policy information", - "5635": "Modify domain trust relationships", - "5636": "Create special accounts (for assignment of user rights)", - "5637": "Create a secret object", - "5638": "Create a privilege", - "5639": "Set default quota limits", - "5640": "Change system audit requirements", - "5641": "Administer audit log attributes", - "5642": "Enable/Disable LSA", - "5643": "Lookup Names/SIDs", - "5648": "Change secret value", - "5649": "Query secret value", - "5650": "Undefined Access (no effect) Bit 2", - "5651": "Undefined Access (no effect) Bit 3", - "5652": "Undefined Access (no effect) Bit 4", - "5653": "Undefined Access (no effect) Bit 5", - "5654": "Undefined Access (no effect) Bit 6", - "5655": "Undefined Access (no effect) Bit 7", - "5656": "Undefined Access (no effect) Bit 8", - "5657": "Undefined Access (no effect) Bit 9", - "5658": "Undefined Access (no effect) Bit 10", - "5659": "Undefined Access (no effect) Bit 11", - "5660": "Undefined Access (no effect) Bit 12", - "5661": "Undefined Access (no effect) Bit 13", - "5662": "Undefined Access (no effect) Bit 14", - "5663": "Undefined Access (no effect) Bit 15", - "5664": "Query trusted domain name/SID", - "5665": "Retrieve the controllers in the trusted domain", - "5666": "Change the controllers in the trusted domain", - "5667": "Query the Posix ID offset assigned to the trusted domain", - "5668": "Change the Posix ID offset assigned to the trusted domain", - "5669": "Undefined Access (no effect) Bit 5", - "5670": "Undefined Access (no effect) Bit 6", - "5671": "Undefined Access (no effect) Bit 7", - "5672": "Undefined Access (no effect) Bit 8", - "5673": "Undefined Access (no effect) Bit 9", - "5674": "Undefined Access (no effect) Bit 10", - "5675": "Undefined Access (no effect) Bit 11", - "5676": "Undefined Access (no effect) Bit 12", - "5677": "Undefined Access (no effect) Bit 13", - "5678": "Undefined Access (no effect) Bit 14", - "5679": "Undefined Access (no effect) Bit 15", - "5680": "Query account information", - "5681": "Change privileges assigned to account", - "5682": "Change quotas assigned to account", - "5683": "Change logon capabilities assigned to account", - "5684": "Change the Posix ID offset assigned to the accounted domain", - "5685": "Undefined Access (no effect) Bit 5", - "5686": "Undefined Access (no effect) Bit 6", - "5687": "Undefined Access (no effect) Bit 7", - "5688": "Undefined Access (no effect) Bit 8", - "5689": "Undefined Access (no effect) Bit 9", - "5690": "Undefined Access (no effect) Bit 10", - "5691": "Undefined Access (no effect) Bit 11", - "5692": "Undefined Access (no effect) Bit 12", - "5693": "Undefined Access (no effect) Bit 13", - "5694": "Undefined Access (no effect) Bit 14", - "5695": "Undefined Access (no effect) Bit 15", - "5696": "KeyedEvent Wait", - "5697": "KeyedEvent Wake", - "5698": "Undefined Access (no effect) Bit 2", - "5699": "Undefined Access (no effect) Bit 3", - "5700": "Undefined Access (no effect) Bit 4", - "5701": "Undefined Access (no effect) Bit 5", - "5702": "Undefined Access (no effect) Bit 6", - "5703": "Undefined Access (no effect) Bit 7", - "5704": "Undefined Access (no effect) Bit 8", - "5705": "Undefined Access (no effect) Bit 9", - "5706": "Undefined Access (no effect) Bit 10", - "5707": "Undefined Access (no effect) Bit 11", - "5708": "Undefined Access (no effect) Bit 12", - "5709": "Undefined Access (no effect) Bit 13", - "5710": "Undefined Access (no effect) Bit 14", - "5711": "Undefined Access (no effect) Bit 15", - "6656": "Enumerate desktops", - "6657": "Read attributes", - "6658": "Access Clipboard", - "6659": "Create desktop", - "6660": "Write attributes", - "6661": "Access global atoms", - "6662": "Exit windows", - "6663": "Unused Access Flag", - "6664": "Include this windowstation in enumerations", - "6665": "Read screen", - "6672": "Read Objects", - "6673": "Create window", - "6674": "Create menu", - "6675": "Hook control", - "6676": "Journal (record)", - "6677": "Journal (playback)", - "6678": "Include this desktop in enumerations", - "6679": "Write objects", - "6680": "Switch to this desktop", - "6912": "Administer print server", - "6913": "Enumerate printers", - "6930": "Full Control", - "6931": "Print", - "6948": "Administer Document", - "7168": "Connect to service controller", - "7169": "Create a new service", - "7170": "Enumerate services", - "7171": "Lock service database for exclusive access", - "7172": "Query service database lock state", - "7173": "Set last-known-good state of service database", - "7184": "Query service configuration information", - "7185": "Set service configuration information", - "7186": "Query status of service", - "7187": "Enumerate dependencies of service", - "7188": "Start the service", - "7189": "Stop the service", - "7190": "Pause or continue the service", - "7191": "Query information from service", - "7192": "Issue service-specific control commands", - "7424": "DDE Share Read", - "7425": "DDE Share Write", - "7426": "DDE Share Initiate Static", - "7427": "DDE Share Initiate Link", - "7428": "DDE Share Request", - "7429": "DDE Share Advise", - "7430": "DDE Share Poke", - "7431": "DDE Share Execute", - "7432": "DDE Share Add Items", - "7433": "DDE Share List Items", - "7680": "Create Child", - "7681": "Delete Child", - "7682": "List Contents", - "7683": "Write Self", - "7684": "Read Property", - "7685": "Write Property", - "7686": "Delete Tree", - "7687": "List Object", - "7688": "Control Access", - "7689": "Undefined Access (no effect) Bit 9", - "7690": "Undefined Access (no effect) Bit 10", - "7691": "Undefined Access (no effect) Bit 11", - "7692": "Undefined Access (no effect) Bit 12", - "7693": "Undefined Access (no effect) Bit 13", - "7694": "Undefined Access (no effect) Bit 14", - "7695": "Undefined Access (no effect) Bit 15", - "7936": "Audit Set System Policy", - "7937": "Audit Query System Policy", - "7938": "Audit Set Per User Policy", - "7939": "Audit Query Per User Policy", - "7940": "Audit Enumerate Users", - "7941": "Audit Set Options", - "7942": "Audit Query Options", - "8064": "Port sharing (read)", - "8065": "Port sharing (write)", - "8096": "Default credentials", - "8097": "Credentials manager", - "8098": "Fresh credentials", - "8192": "Kerberos", - "8193": "Preshared key", - "8194": "Unknown authentication", - "8195": "DES", - "8196": "3DES", - "8197": "MD5", - "8198": "SHA1", - "8199": "Local computer", - "8200": "Remote computer", - "8201": "No state", - "8202": "Sent first (SA) payload", - "8203": "Sent second (KE) payload", - "8204": "Sent third (ID) payload", - "8205": "Initiator", - "8206": "Responder", - "8207": "No state", - "8208": "Sent first (SA) payload", - "8209": "Sent final payload", - "8210": "Complete", - "8211": "Unknown", - "8212": "Transport", - "8213": "Tunnel", - "8214": "IKE/AuthIP DoS prevention mode started", - "8215": "IKE/AuthIP DoS prevention mode stopped", - "8216": "Enabled", - "8217": "Not enabled", - "8218": "No state", - "8219": "Sent first (EM attributes) payload", - "8220": "Sent second (SSPI) payload", - "8221": "Sent third (hash) payload", - "8222": "IKEv1", - "8223": "AuthIP", - "8224": "Anonymous", - "8225": "NTLM V2", - "8226": "CGA", - "8227": "Certificate", - "8228": "SSL", - "8229": "None", - "8230": "DH group 1", - "8231": "DH group 2", - "8232": "DH group 14", - "8233": "DH group ECP 256", - "8234": "DH group ECP 384", - "8235": "AES-128", - "8236": "AES-192", - "8237": "AES-256", - "8238": "Certificate ECDSA P256", - "8239": "Certificate ECDSA P384", - "8240": "SSL ECDSA P256", - "8241": "SSL ECDSA P384", - "8242": "SHA 256", - "8243": "SHA 384", - "8244": "IKEv2", - "8245": "EAP payload sent", - "8246": "Authentication payload sent", - "8247": "EAP", - "8248": "DH group 24", - "8272": "System", - "8273": "Logon/Logoff", - "8274": "Object Access", - "8275": "Privilege Use", - "8276": "Detailed Tracking", - "8277": "Policy Change", - "8278": "Account Management", - "8279": "DS Access", - "8280": "Account Logon", - "8448": "Success removed", - "8449": "Success Added", - "8450": "Failure removed", - "8451": "Failure Added", - "8452": "Success include removed", - "8453": "Success include added", - "8454": "Success exclude removed", - "8455": "Success exclude added", - "8456": "Failure include removed", - "8457": "Failure include added", - "8458": "Failure exclude removed", - "8459": "Failure exclude added", - "12288": "Security State Change", - "12289": "Security System Extension", - "12290": "System Integrity", - "12291": "IPsec Driver", - "12292": "Other System Events", - "12544": "Logon", - "12545": "Logoff", - "12546": "Account Lockout", - "12547": "IPsec Main Mode", - "12548": "Special Logon", - "12549": "IPsec Quick Mode", - "12550": "IPsec Extended Mode", - "12551": "Other Logon/Logoff Events", - "12552": "Network Policy Server", - "12553": "User / Device Claims", - "12554": "Group Membership", - "12800": "File System", - "12801": "Registry", - "12802": "Kernel Object", - "12803": "SAM", - "12804": "Other Object Access Events", - "12805": "Certification Services", - "12806": "Application Generated", - "12807": "Handle Manipulation", - "12808": "File Share", - "12809": "Filtering Platform Packet Drop", - "12810": "Filtering Platform Connection", - "12811": "Detailed File Share", - "12812": "Removable Storage", - "12813": "Central Policy Staging", - "13056": "Sensitive Privilege Use", - "13057": "Non Sensitive Privilege Use", - "13058": "Other Privilege Use Events", - "13312": "Process Creation", - "13313": "Process Termination", - "13314": "DPAPI Activity", - "13315": "RPC Events", - "13316": "Plug and Play Events", - "13317": "Token Right Adjusted Events", - "13568": "Audit Policy Change", - "13569": "Authentication Policy Change", - "13570": "Authorization Policy Change", - "13571": "MPSSVC Rule-Level Policy Change", - "13572": "Filtering Platform Policy Change", - "13573": "Other Policy Change Events", - "13824": "User Account Management", - "13825": "Computer Account Management", - "13826": "Security Group Management", - "13827": "Distribution Group Management", - "13828": "Application Group Management", - "13829": "Other Account Management Events", - "14080": "Directory Service Access", - "14081": "Directory Service Changes", - "14082": "Directory Service Replication", - "14083": "Detailed Directory Service Replication", - "14336": "Credential Validation", - "14337": "Kerberos Service Ticket Operations", - "14338": "Other Account Logon Events", - "14339": "Kerberos Authentication Service", - "14592": "Inbound", - "14593": "Outbound", - "14594": "Forward", - "14595": "Bidirectional", - "14596": "IP Packet", - "14597": "Transport", - "14598": "Forward", - "14599": "Stream", - "14600": "Datagram Data", - "14601": "ICMP Error", - "14602": "MAC 802.3", - "14603": "MAC Native", - "14604": "vSwitch", - "14608": "Resource Assignment", - "14609": "Listen", - "14610": "Receive/Accept", - "14611": "Connect", - "14612": "Flow Established", - "14614": "Resource Release", - "14615": "Endpoint Closure", - "14616": "Connect Redirect", - "14617": "Bind Redirect", - "14624": "Stream Packet", - "14640": "ICMP Echo-Request", - "14641": "vSwitch Ingress", - "14642": "vSwitch Egress", - "14672": "", - "14673": "[NULL]", - "14674": "Value Added", - "14675": "Value Deleted", - "14676": "Active Directory Domain Services", - "14677": "Active Directory Lightweight Directory Services", - "14678": "Yes", - "14679": "No", - "14680": "Value Added With Expiration Time", - "14681": "Value Deleted With Expiration Time", - "14688": "Value Auto Deleted With Expiration Time", - "16384": "Add", - "16385": "Delete", - "16386": "Boot-time", - "16387": "Persistent", - "16388": "Not persistent", - "16389": "Block", - "16390": "Permit", - "16391": "Callout", - "16392": "MD5", - "16393": "SHA-1", - "16394": "SHA-256", - "16395": "AES-GCM 128", - "16396": "AES-GCM 192", - "16397": "AES-GCM 256", - "16398": "DES", - "16399": "3DES", - "16400": "AES-128", - "16401": "AES-192", - "16402": "AES-256", - "16403": "Transport", - "16404": "Tunnel", - "16405": "Responder", - "16406": "Initiator", - "16407": "AES-GMAC 128", - "16408": "AES-GMAC 192", - "16409": "AES-GMAC 256", - "16416": "AuthNoEncap Transport", - "16896": "Enable WMI Account", - "16897": "Execute Method", - "16898": "Full Write", - "16899": "Partial Write", - "16900": "Provider Write", - "16901": "Remote Access", - "16902": "Subscribe", - "16903": "Publish", - }; - // Trust Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustTypes = { - "1": "TRUST_TYPE_DOWNLEVEL", - "2": "TRUST_TYPE_UPLEVEL", - "3": "TRUST_TYPE_MIT", - "4": "TRUST_TYPE_DCE" - } - // Trust Direction - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustDirection = { - "0": "TRUST_DIRECTION_DISABLED", - "1": "TRUST_DIRECTION_INBOUND", - "2": "TRUST_DIRECTION_OUTBOUND", - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - } - // Trust Attributes - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - var trustAttributes = { - "0": "UNDEFINED", - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - } - // SDDL Ace Types - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var aceTypes = { - "A": "Access Allowed", - "D": "Access Denied", - "OA": "Object Access Allowed", - "OD": "Object Access Denied", - "AU": "System Audit", - "AL": "System Alarm", - "OU": "System Object Audit", - "OL": "System Object Alarm", - "ML": "System Mandatory Label", - "SP": "Central Policy ID" - } - // SDDL Permissions - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - var permissionDescription = { - "GA": "Generic All", - "GR": "Generic Read", - "GW": "Generic Write", - "GX": "Generic Execute", - "RC": "Read Permissions", - "SD": "Delete", - "WD": "Modify Permissions", - "WO": "Modify Owner", - "RP": "Read All Properties", - "WP": "Write All Properties", - "CC": "Create All Child Objects", - "DC": "Delete All Child Objects", - "LC": "List Contents", - "SW": "All Validated", - "LO": "List Object", - "DT": "Delete Subtree", - "CR": "All Extended Rights", - "FA": "File All Access", - "FR": "File Generic Read", - "FX": "FILE GENERIC EXECUTE", - "FW": "FILE GENERIC WRITE", - "KA": "KEY ALL ACCESS", - "KR": "KEY READ", - "KW": "KEY WRITE", - "KX": "KEY EXECUTE" - } - // Known SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - var accountSIDDescription = { - "AO": "Account operators", - "RU": "Alias to allow previous Windows 2000", - "AN": "Anonymous logon", - "AU": "Authenticated users", - "BA": "Built-in administrators", - "BG": "Built-in guests", - "BO": "Backup operators", - "BU": "Built-in users", - "CA": "Certificate server administrators", - "CG": "Creator group", - "CO": "Creator owner", - "DA": "Domain administrators", - "DC": "Domain computers", - "DD": "Domain controllers", - "DG": "Domain guests", - "DU": "Domain users", - "EA": "Enterprise administrators", - "ED": "Enterprise domain controllers", - "WD": "Everyone", - "PA": "Group Policy administrators", - "IU": "Interactively logged-on user", - "LA": "Local administrator", - "LG": "Local guest", - "LS": "Local service account", - "SY": "Local system", - "NU": "Network logon user", - "NO": "Network configuration operators", - "NS": "Network service account", - "PO": "Printer operators", - "PS": "Personal self", - "PU": "Power users", - "RS": "RAS servers group", - "RD": "Terminal server users", - "RE": "Replicator", - "RC": "Restricted code", - "SA": "Schema administrators", - "SO": "Server operators", - "SU": "Service logon user", - "S-1-0": "Null Authority", - "S-1-0-0": "Nobody", - "S-1-1": "World Authority", - "S-1-1-0": "Everyone", - "S-1-16-0": "Untrusted Mandatory Level", - "S-1-16-12288": "High Mandatory Level", - "S-1-16-16384": "System Mandatory Level", - "S-1-16-20480": "Protected Process Mandatory Level", - "S-1-16-28672": "Secure Process Mandatory Level", - "S-1-16-4096": "Low Mandatory Level", - "S-1-16-8192": "Medium Mandatory Level", - "S-1-16-8448": "Medium Plus Mandatory Level", - "S-1-2": "Local Authority", - "S-1-2-0": "Local", - "S-1-2-1": "Console Logon", - "S-1-3": "Creator Authority", - "S-1-3-0": "Creator Owner", - "S-1-3-1": "Creator Group", - "S-1-3-2": "Creator Owner Server", - "S-1-3-3": "Creator Group Server", - "S-1-3-4": "Owner Rights", - "S-1-4": "Non-unique Authority", - "S-1-5": "NT Authority", - "S-1-5-1": "Dialup", - "S-1-5-10": "Principal Self", - "S-1-5-11": "Authenticated Users", - "S-1-5-12": "Restricted Code", - "S-1-5-13": "Terminal Server Users", - "S-1-5-14": "Remote Interactive Logon", - "S-1-5-15": "This Organization", - "S-1-5-17": "This Organization", - "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", - "S-1-5-2": "Network", - "S-1-5-20": "NT Authority", - "S-1-5-3": "Batch", - "S-1-5-32-544": "Administrators", - "S-1-5-32-545": "Users", - "S-1-5-32-546": "Guests", - "S-1-5-32-547": "Power Users", - "S-1-5-32-548": "Account Operators", - "S-1-5-32-549": "Server Operators", - "S-1-5-32-550": "Print Operators", - "S-1-5-32-551": "Backup Operators", - "S-1-5-32-552": "Replicators", - "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", - "S-1-5-32-555": "Builtin\Remote Desktop Users", - "S-1-5-32-556": "Builtin\Network Configuration Operators", - "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", - "S-1-5-32-558": "Builtin\Performance Monitor Users", - "S-1-5-32-559": "Builtin\Performance Log Users", - "S-1-5-32-560": "Builtin\Windows Authorization Access Group", - "S-1-5-32-561": "Builtin\Terminal Server License Servers", - "S-1-5-32-562": "Builtin\Distributed COM Users", - "S-1-5-32-569": "Builtin\Cryptographic Operators", - "S-1-5-32-573": "Builtin\Event Log Readers", - "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", - "S-1-5-32-575": "Builtin\RDS Remote Access Servers", - "S-1-5-32-576": "Builtin\RDS Endpoint Servers", - "S-1-5-32-577": "Builtin\RDS Management Servers", - "S-1-5-32-578": "Builtin\Hyper-V Administrators", - "S-1-5-32-579": "Builtin\Access Control Assistance Operators", - "S-1-5-32-580": "Builtin\Remote Management Users", - "S-1-5-32-582": "Storage Replica Administrators", - "S-1-5-4": "Interactive", - "S-1-5-5-X-Y": "Logon Session", - "S-1-5-6": "Service", - "S-1-5-64-10": "NTLM Authentication", - "S-1-5-64-14": "SChannel Authentication", - "S-1-5-64-21": "Digest Authentication", - "S-1-5-7": "Anonymous", - "S-1-5-8": "Proxy", - "S-1-5-80": "NT Service", - "S-1-5-80-0": "All Services", - "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", - "S-1-5-9": "Enterprise Domain Controllers", - "S-1-5-90-0": "Windows Manager\Windows Manager Group" - } - // Domain-specific SIDs - // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - var domainSpecificSID = { - "498": "Enterprise Read-only Domain Controllers", - "500": "Administrator", - "501": "Guest", - "502": "KRBTGT", - "512": "Domain Admins", - "513": "Domain Users", - "514": "Domain Guests", - "515": "Domain Computers", - "516": "Domain Controllers", - "517": "Cert Publishers", - "518": "Schema Admins", - "519": "Enterprise Admins", - "520": "Group Policy Creator Owners", - "521": "Read-only Domain Controllers", - "522": "Cloneable Domain Controllers", - "526": "Key Admins", - "527": "Enterprise Key Admins", - "553": "RAS and IAS Servers", - "571": "Allowed RODC Password Replication Group", - "572": "Denied RODC Password Replication Group" - } - // Object Permission Flags - // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - var permsFlags = [ - [0x80000000, 'Generic Read'], - [0x4000000, 'Generic Write'], - [0x20000000, 'Generic Execute'], - [0x10000000, 'Generic All'], - [0x02000000, 'Maximun Allowed'], - [0x01000000, 'Access System Security'], - [0x00100000, 'Syncronize'], - [0x00080000, 'Write Owner'], - [0x00040000, 'Write DACL'], - [0x00020000, 'Read Control'], - [0x00010000, 'Delete'] - ]; - // lookupMessageCode returns the string associated with the code. key should - // be the name of the field in evt containing the code (e.g. %%2313). - var lookupMessageCode = function (evt, key) { - var code = evt.Get(key); - if (!code) { - return; - } - code = code.replace("%%", ""); - return msobjsMessageTable[code]; - }; - var addEventFields = function(evt){ - var code = evt.Get("event.code"); - if (!code) { - return; - } - var eventActionDescription = eventActionTypes[code][2]; - if (eventActionDescription) { - evt.AppendTo("event.category", eventActionTypes[code][0]); - evt.AppendTo("event.type", eventActionTypes[code][1]); - evt.Put("event.action", eventActionTypes[code][2]); - } - }; - var addLogonType = function(evt) { - var code = evt.Get("winlog.event_data.LogonType"); - if (!code) { - return; - } - var descriptiveLogonType = logonTypes[code]; - if (descriptiveLogonType === undefined) { - return; - } - evt.Put("winlog.logon.type", descriptiveLogonType); - }; - var addFailureCode = function(evt) { - var msg = lookupMessageCode(evt, "winlog.event_data.FailureReason"); - if (!msg) { - return; - } - evt.Put("winlog.logon.failure.reason", msg); - }; - var addFailureStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.status", descriptiveFailureStatus); - }; - var addFailureSubStatus = function(evt) { - var code = evt.Get("winlog.event_data.SubStatus"); - if (!code) { - return; - } - var descriptiveFailureStatus = logonFailureStatus[code]; - if (descriptiveFailureStatus === undefined) { - return; - } - evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); - }; - var addUACDescription = function(evt) { - var code = evt.Get("winlog.event_data.NewUacValue"); - if (!code) { - return; - } - var uacCode = parseInt(code); - var uacResult = []; - for (var i = 0; i < uacFlags.length; i++) { - if ((uacCode | uacFlags[i][0]) === uacCode) { - uacResult.push(uacFlags[i][1]); - } - } - if (uacResult) { - evt.Put("winlog.event_data.NewUACList", uacResult); - } - var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); - if (!uacList) { - return; - } - evt.Put("winlog.event_data.UserAccountControl", uacList); - }; - var addAuditInfo = function(evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); - if (!subcategoryGuid) { - return; - } - if (!auditDescription[subcategoryGuid]) { - return; - } - evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); - evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var actionResults = []; - for (var j = 0; j < codedActions.length; j++) { - var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(msobjsMessageTable[actionCode]); - } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); - }; - var addTicketOptionsDescription = function(evt) { - var code = evt.Get("winlog.event_data.TicketOptions"); - if (!code) { - return; - } - var tktCode = parseInt(code, 16).toString(2); - var tktResult = []; - var tktCodeLen = tktCode.length; - for (var i = tktCodeLen; i >= 0; i--) { - if (tktCode[i] == 1) { - tktResult.push(ticketOptions[(32-tktCodeLen)+i]); - } - } - if (tktResult) { - evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); - } - }; - var addTicketEncryptionType = function(evt) { - var code = evt.Get("winlog.event_data.TicketEncryptionType"); - if (!code) { - return; - } - var encTypeCode = code.toLowerCase(); - evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); - }; - var addTicketStatus = function(evt) { - var code = evt.Get("winlog.event_data.Status"); - if (!code) { - return; - } - evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); - }; - var translateSID = function(sid){ - var translatedSID = accountSIDDescription[sid]; - if (translatedSID == undefined) { - if (/^S\-1\-5\-21/.test(sid)) { - var uid = sid.match(/[0-9]{1,5}$/g); - if (uid) { - translatedSID = domainSpecificSID[uid]; - } - } - } - if (translatedSID == undefined) { - translatedSID = sid; - } - return translatedSID; - } - var translatePermissionMask = function(mask) { - if (!mask) { - return; - } - var permCode = parseInt(mask); - var permResult = []; - for (var i = 0; i < permsFlags.length; i++) { - if ((permCode | permsFlags[i][0]) === permCode) { - permResult.push(permsFlags[i][1]); - } - } - if (permResult) { - return permResult; - } else { - return mask; - } - }; - var translateACL = function(dacl) { - var aceArray = dacl.split(";"); - var aceResult = []; - var aceType = aceArray[0]; - var acePerm = aceArray[2]; - var aceTrustedSid = aceArray[5]; - if (aceTrustedSid) { - aceResult['grantee'] = translateSID(aceTrustedSid); - } - if (aceType) { - aceResult['type'] = aceTypes[aceType]; - } - if (acePerm) { - if (/^0x/.test(acePerm)) { - var perms = translatePermissionMask(acePerm); - } - else { - var perms = [] - var permPairs = acePerm.match(/.{1,2}/g); - for ( var i = 0; i < permPairs.length; i ++) { - perms.push(permissionDescription[permPairs[i]]) - } - } - aceResult['perms'] = perms; - } - return aceResult; - }; - var enrichSDDL = function(evt, sddl) { - var sddlStr = evt.Get(sddl); - if (!sddlStr) { - return; - } - var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); - var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); - var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); - var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); - if (sdOwner) { - evt.Put(sddl+"Owner", translateSID(sdOwner)); - } - if (sdGroup) { - evt.Put(sddl+"Group", translateSID(sdGroup)); - } - if (sdDacl) { - // Split each entry of the DACL - var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); - if (daclList) { - for (var i = 0; i < daclList.length; i++) { - var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); - if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newDacl['grantee']); - } - } - } - } - if (sdSacl) { - // Split each entry of the SACL - var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); - if (saclList) { - for (var i = 0; i < saclList.length; i++) { - var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); - evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); - if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { - evt.AppendTo('related.user', newSacl['grantee']); - } - } - } - } - }; - - var addSessionData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.AccountName", to: "user.name"}, - {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.ClientName", to: "source.domain"}, - {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.AccountName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var addServiceFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ServiceName", to: "service.name"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var code = evt.Get("winlog.event_data.ServiceType"); - if (!code) { - return; - } - evt.Put("service.type", serviceTypes[code]); - }) - .Build(); - var addTrustInformation = new processor.Chain() - .Add(function(evt) { - var code = evt.Get("winlog.event_data.TdoType"); - if (!code) { - return; - } - evt.Put("winlog.trustType", trustTypes[code]); - code = evt.Get("winlog.event_data.TdoDirection"); - if (!code) { - return; - } - evt.Put("winlog.trustDirection", trustDirection[code]); - code = evt.Get("winlog.event_data.TdoAttributes"); - if (!code) { - return; - } - evt.Put("winlog.trustAttribute", trustAttributes[code]); - - }) - .Build(); - - var copyTargetUser = function(evt) { - var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); - if (targetUserId) { - if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); - else evt.Put("user.id", targetUserId); - } - - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); - if (targetUserName) { - if (/.@*/.test(targetUserName)) { - targetUserName = targetUserName.split('@')[0]; - } - - evt.AppendTo("related.user", targetUserName); - if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); - else evt.Put("user.name", targetUserName); - } - - var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); - if (targetUserDomain) { - if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); - else evt.Put("user.domain", targetUserDomain); - } - } - - var copyMemberToUser = function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - - var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); - - evt.AppendTo("related.user", userName); - evt.Put("user.target.name", userName); - } - - var copyTargetUserToGroup = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "group.id"}, - {from: "winlog.event_data.TargetSid", to: "group.id"}, - {from: "winlog.event_data.TargetUserName", to: "group.name"}, - {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, - ], - ignore_missing: true, - }).Add(function(evt) { - if (!evt.Get("user.target")) return; - evt.Put("user.target.group.id", evt.Get("group.id")); - evt.Put("user.target.group.name", evt.Get("group.name")); - evt.Put("user.target.group.domain", evt.Get("group.domain")); - }) - .Build(); - var copyTargetUserToComputerObject = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, - {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, - {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, - ], - ignore_missing: true, - }) - .Build(); - var copyTargetUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.event_data.SubjectUserName", to: "user.name"}, - {from: "winlog.event_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, - {from: "winlog.user_data.SubjectUserName", to: "user.name"}, - {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var copySubjectUserLogonId = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var copySubjectUserLogonIdFromUserData = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, - ], - ignore_missing: true, - }) - .Build(); - var renameCommonAuthFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.ProcessName", to: "process.executable"}, - {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, - {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, - {from: "winlog.event_data.WorkstationName", to: "source.domain"}, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Build(); - var renameNewProcessFields = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, - {from: "winlog.event_data.NewProcessName", to: "process.executable"}, - {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(function(evt) { - var name = evt.Get("process.name"); - if (name) { - return; - } - var exe = evt.Get("process.executable"); - if (!exe) { - return; - } - evt.Put("process.name", path.basename(exe)); - }) - .Add(function(evt) { - var name = evt.Get("process.parent.name"); - if (name) { - return; - } - var exe = evt.Get("process.parent.executable"); - if (!exe) { - return; - } - evt.Put("process.parent.name", path.basename(exe)); - }) - .Add(function(evt) { - var cl = evt.Get("winlog.event_data.CommandLine"); - if (!cl) { - return; - } - evt.Put("process.args", windows.splitCommandLine(cl)); - evt.Put("process.command_line", cl); - }) - .Build(); - // Handles 4634 and 4647. - var logoff = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(addEventFields) - .Build(); - // Handles both 4624 - var logonSuccess = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addLogonType) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - // Handles both 4648 - var event4648 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.SubjectUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4625 = new processor.Chain() - .Add(copyTargetUser) - .Add(copySubjectUserLogonId) - .Add(addLogonType) - .Add(addFailureCode) - .Add(addFailureStatus) - .Add(addFailureSubStatus) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4672 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(addEventFields) - .Build(); - var event4688 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameNewProcessFields) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) - .Build(); - var event4689 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var event4697 = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addServiceFields) - .Add(addEventFields) - .Build(); - var userMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) - .Build(); - var userRenamed = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(function(evt) { - var userNew = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo('related.user', userNew); - var userOld = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo('related.user', userOld); - }) - .Build(); - var groupMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyMemberToUser) - .Add(copyTargetUserToGroup) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditLogCleared = new processor.Chain() - .Add(copySubjectUserFromUserData) - .Add(copySubjectUserLogonIdFromUserData) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var auditChanged = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addAuditInfo) - .Add(addEventFields) - .Build(); - var auditLogMgmt = new processor.Chain() - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - var computerMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(copyTargetUserToComputerObject) - .Add(renameCommonAuthFields) - .Add(addUACDescription) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Build(); - var sessionEvts = new processor.Chain() - .Add(addSessionData) - .Add(addEventFields) - .Build(); - var event4964 = new processor.Chain() - .Add(copyTargetUser) - .Add(copyTargetUserLogonId) - .Add(addEventFields) - .Build(); - var kerberosTktEvts = new processor.Chain() - .Add(copyTargetUser) - .Add(renameCommonAuthFields) - .Add(addTicketOptionsDescription) - .Add(addTicketEncryptionType) - .Add(addTicketStatus) - .Add(addEventFields) - .Add(function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); - evt.AppendTo("related.ip", ip.replace("::ffff:", "")); - } - } - }) - .Build(); - var event4776 = new processor.Chain() - .Add(copyTargetUser) - .Add(addFailureStatus) - .Add(addEventFields) - .Build(); - var scheduledTask = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - var sensitivePrivilege = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var privs = evt.Get("winlog.event_data.PrivilegeList"); - if (!privs) { - return; - } - evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); - }) - .Add(function(evt){ - var maskCodes = evt.Get("winlog.event_data.AccessMask"); - if (!maskCodes) { - return; - } - var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); - evt.Put("winlog.event_data.AccessMask", maskList); - var maskResults = []; - for (var j = 0; j < maskList.length; j++) { - var description = msobjsMessageTable[maskList[j]]; - if (description === undefined) { - return; - } - maskResults.push(description); - } - evt.Put("winlog.event_data.AccessMaskDescription", maskResults); - }) - .Build(); - - var trustDomainMgmtEvts = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Add(addTrustInformation) - .Build(); - - var policyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(addEventFields) - .Build(); - - var objectPolicyChange = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Add(function(evt) { - var oldSd = evt.Get("winlog.event_data.OldSd"); - var newSd = evt.Get("winlog.event_data.NewSd"); - if (oldSd) { - enrichSDDL(evt, "winlog.event_data.OldSd"); - } - if (newSd) { - enrichSDDL(evt, "winlog.event_data.NewSd"); - } - }) - .Build(); - - var genericAuditChange = new processor.Chain() - .Add(addEventFields) - .Build(); - - var event4908 = new processor.Chain() - .Add(addEventFields) - .Add(function(evt) { - var sids = evt.Get("winlog.event_data.SidList"); - if (!sids) { - return; - } - var sidList = sids.split(/\s+/); - evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); - var sidListDesc = []; - for (var i = 0; i < sidList.length; i++) { - var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); - if (sidTemp) { - sidListDesc.push(translateSID(sidTemp)); - } - } - evt.Put("winlog.event_data.SidListDesc", sidListDesc); - }) - .Build(); - - var securityEventSource = new processor.Chain() - .Add(copySubjectUser) - .Add(copySubjectUserLogonId) - .Add(renameCommonAuthFields) - .Add(addEventFields) - .Build(); - - return { - // 1100 - The event logging service has shut down. - 1100: auditLogMgmt.Run, - // 1102 - The audit log was cleared. - 1102: auditLogCleared.Run, - // 1104 - The security log is now full. - 1104: auditLogMgmt.Run, - // 1105 - Event log automatic backup. - 1105: auditLogMgmt.Run, - // 1108 - The event logging service encountered an error while processing an incoming event published from %1 - 1108: auditLogMgmt.Run, - // 4624 - An account was successfully logged on. - 4624: logonSuccess.Run, - // 4625 - An account failed to log on. - 4625: event4625.Run, - // 4634 - An account was logged off. - 4634: logoff.Run, - // 4647 - User initiated logoff. - 4647: logoff.Run, - // 4648 - A logon was attempted using explicit credentials. - 4648: event4648.Run, - // 4670 - Permissions on an object were changed. - 4670: objectPolicyChange.Run, - // 4672 - Special privileges assigned to new logon. - 4672: event4672.Run, - // 4673 - A privileged service was called. - 4673: sensitivePrivilege.Run, - // 4674 - An operation was attempted on a privileged object. - 4674: sensitivePrivilege.Run, - // 4688 - A new process has been created. - 4688: event4688.Run, - // 4689 - A process has exited. - 4689: event4689.Run, - // 4697 - A service was installed in the system. - 4697: event4697.Run, - // 4698 - A scheduled task was created. - 4698: scheduledTask.Run, - // 4699 - A scheduled task was deleted. - 4699: scheduledTask.Run, - // 4700 - A scheduled task was enabled. - 4700: scheduledTask.Run, - // 4701 - A scheduled task was disabled. - 4701: scheduledTask.Run, - // 4702 - A scheduled task was updated. - 4702: scheduledTask.Run, - // 4706 - A new trust was created to a domain. - 4706: trustDomainMgmtEvts.Run, - // 4707 - A trust to a domain was removed. - 4707: trustDomainMgmtEvts.Run, - // 4713 - Kerberos policy was changed. - 4713: policyChange.Run, - // 4716 - Trusted domain information was modified. - 4716: trustDomainMgmtEvts.Run, - // 4717 - System security access was granted to an account. - 4717: policyChange.Run, - // 4718 - System security access was removed from an account. - 4718: policyChange.Run, - // 4719 - System audit policy was changed. - 4719: auditChanged.Run, - // 4720 - A user account was created - 4720: userMgmtEvts.Run, - // 4722 - A user account was enabled - 4722: userMgmtEvts.Run, - // 4723 - An attempt was made to change an account's password - 4723: userMgmtEvts.Run, - // 4724 - An attempt was made to reset an account's password - 4724: userMgmtEvts.Run, - // 4725 - A user account was disabled. - 4725: userMgmtEvts.Run, - // 4726 - An user account was deleted. - 4726: userMgmtEvts.Run, - // 4727 - A security-enabled global group was created. - 4727: groupMgmtEvts.Run, - // 4728 - A member was added to a security-enabled global group. - 4728: groupMgmtEvts.Run, - // 4729 - A member was removed from a security-enabled global group. - 4729: groupMgmtEvts.Run, - // 4730 - A security-enabled global group was deleted. - 4730: groupMgmtEvts.Run, - // 4731 - A security-enabled local group was created. - 4731: groupMgmtEvts.Run, - // 4732 - A member was added to a security-enabled local group. - 4732: groupMgmtEvts.Run, - // 4733 - A member was removed from a security-enabled local group. - 4733: groupMgmtEvts.Run, - // 4734 - A security-enabled local group was deleted. - 4734: groupMgmtEvts.Run, - // 4735 - A security-enabled local group was changed. - 4735: groupMgmtEvts.Run, - // 4737 - A security-enabled global group was changed. - 4737: groupMgmtEvts.Run, - // 4739 - A security-enabled global group was changed. - 4739: policyChange.Run, - // 4738 - An user account was changed. - 4738: userMgmtEvts.Run, - // 4740 - An account was locked out - 4740: userMgmtEvts.Run, - // 4741 - A computer account was created. - 4741: computerMgmtEvts.Run, - // 4742 - A computer account was changed. - 4742: computerMgmtEvts.Run, - // 4743 - A computer account was deleted. - 4743: computerMgmtEvts.Run, - // 4744 - A security-disabled local group was created. - 4744: groupMgmtEvts.Run, - // 4745 - A security-disabled local group was changed. - 4745: groupMgmtEvts.Run, - // 4746 - A member was added to a security-disabled local group. - 4746: groupMgmtEvts.Run, - // 4747 - A member was removed from a security-disabled local group. - 4747: groupMgmtEvts.Run, - // 4748 - A security-disabled local group was deleted. - 4748: groupMgmtEvts.Run, - // 4749 - A security-disabled global group was created. - 4749: groupMgmtEvts.Run, - // 4750 - A security-disabled global group was changed. - 4750: groupMgmtEvts.Run, - // 4751 - A member was added to a security-disabled global group. - 4751: groupMgmtEvts.Run, - // 4752 - A member was removed from a security-disabled global group. - 4752: groupMgmtEvts.Run, - // 4753 - A security-disabled global group was deleted. - 4753: groupMgmtEvts.Run, - // 4754 - A security-enabled universal group was created. - 4754: groupMgmtEvts.Run, - // 4755 - A security-enabled universal group was changed. - 4755: groupMgmtEvts.Run, - // 4756 - A member was added to a security-enabled universal group. - 4756: groupMgmtEvts.Run, - // 4757 - A member was removed from a security-enabled universal group. - 4757: groupMgmtEvts.Run, - // 4758 - A security-enabled universal group was deleted. - 4758: groupMgmtEvts.Run, - // 4759 - A security-disabled universal group was created. - 4759: groupMgmtEvts.Run, - // 4760 - A security-disabled universal group was changed. - 4760: groupMgmtEvts.Run, - // 4761 - A member was added to a security-disabled universal group. - 4761: groupMgmtEvts.Run, - // 4762 - A member was removed from a security-disabled universal group. - 4762: groupMgmtEvts.Run, - // 4763 - A security-disabled global group was deleted. - 4763: groupMgmtEvts.Run, - // 4764 - A group\'s type was changed. - 4764: groupMgmtEvts.Run, - // 4767 - A user account was unlocked. - 4767: userMgmtEvts.Run, - // 4768 - A Kerberos authentication ticket TGT was requested. - 4768: kerberosTktEvts.Run, - // 4769 - A Kerberos service ticket was requested. - 4769: kerberosTktEvts.Run, - // 4770 - A Kerberos service ticket was renewed. - 4770: kerberosTktEvts.Run, - // 4771 - Kerberos pre-authentication failed. - 4771: kerberosTktEvts.Run, - // 4776 - The computer attempted to validate the credentials for an account. - 4776: event4776.Run, - // 4778 - A session was reconnected to a Window Station. - 4778: sessionEvts.Run, - // 4779 - A session was disconnected from a Window Station. - 4779: sessionEvts.Run, - // 4781 - The name of an account was changed. - 4781: userRenamed.Run, - // 4798 - A user's local group membership was enumerated. - 4798: userMgmtEvts.Run, - // 4799 - A security-enabled local group membership was enumerated. - 4799: groupMgmtEvts.Run, - // 4817 - Auditing settings on object were changed. - 4817: objectPolicyChange.Run, - // 4902 - The Per-user audit policy table was created. - 4902: genericAuditChange.Run, - // 4904 - An attempt was made to register a security event source. - 4904: securityEventSource.Run, - // 4905 - An attempt was made to unregister a security event source. - 4905: securityEventSource.Run, - // 4906 - The CrashOnAuditFail value has changed. - 4906: genericAuditChange.Run, - // 4907 - Auditing settings on object were changed. - 4907: objectPolicyChange.Run, - // 4908 - Special Groups Logon table modified. - 4908: event4908.Run, - // 4912 - Per User Audit Policy was changed. - 4912: auditChanged.Run, - // 4964 - Special groups have been assigned to a new logon. - 4964: event4964.Run, - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "security"); - processor(evt); - }, - }; - })(); - function process(evt) { - return security.process(evt); - } - - - script: - when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational - lang: javascript - id: sysmon - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - // Polyfill for String startsWith. - if (!String.prototype.startsWith) { - Object.defineProperty(String.prototype, "startsWith", { - value: function (search, pos) { - pos = !pos || pos < 0 ? 0 : +pos; - return this.substring(pos, pos + search.length) === search; - }, - }); - } - - var sysmon = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - var net = require("net"); - - // Windows error codes for DNS. This list was generated using - // 'go run gen_dns_error_codes.go'. - var dnsQueryStatusCodes = { - "0": "SUCCESS", - "5": "ERROR_ACCESS_DENIED", - "8": "ERROR_NOT_ENOUGH_MEMORY", - "13": "ERROR_INVALID_DATA", - "14": "ERROR_OUTOFMEMORY", - "123": "ERROR_INVALID_NAME", - "1214": "ERROR_INVALID_NETNAME", - "1223": "ERROR_CANCELLED", - "1460": "ERROR_TIMEOUT", - "4312": "ERROR_OBJECT_NOT_FOUND", - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", - "9003": "DNS_ERROR_RCODE_NAME_ERROR", - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", - "9005": "DNS_ERROR_RCODE_REFUSED", - "9006": "DNS_ERROR_RCODE_YXDOMAIN", - "9007": "DNS_ERROR_RCODE_YXRRSET", - "9008": "DNS_ERROR_RCODE_NXRRSET", - "9009": "DNS_ERROR_RCODE_NOTAUTH", - "9010": "DNS_ERROR_RCODE_NOTZONE", - "9016": "DNS_ERROR_RCODE_BADSIG", - "9017": "DNS_ERROR_RCODE_BADKEY", - "9018": "DNS_ERROR_RCODE_BADTIME", - "9101": "DNS_ERROR_KEYMASTER_REQUIRED", - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "9106": "DNS_ERROR_INVALID_KEY_SIZE", - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "9113": "DNS_ERROR_TOO_MANY_SKDS", - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT", - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK", - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD", - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED", - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE", - "9122": "DNS_ERROR_BAD_KEYMASTER", - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD", - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT", - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED", - "9126": "DNS_ERROR_INVALID_XML", - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS", - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE", - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION", - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1", - "9501": "DNS_INFO_NO_RECORDS", - "9502": "DNS_ERROR_BAD_PACKET", - "9503": "DNS_ERROR_NO_PACKET", - "9504": "DNS_ERROR_RCODE", - "9505": "DNS_ERROR_UNSECURE_PACKET", - "9506": "DNS_REQUEST_PENDING", - "9551": "DNS_ERROR_INVALID_TYPE", - "9552": "DNS_ERROR_INVALID_IP_ADDRESS", - "9553": "DNS_ERROR_INVALID_PROPERTY", - "9554": "DNS_ERROR_TRY_AGAIN_LATER", - "9555": "DNS_ERROR_NOT_UNIQUE", - "9556": "DNS_ERROR_NON_RFC_NAME", - "9557": "DNS_STATUS_FQDN", - "9558": "DNS_STATUS_DOTTED_NAME", - "9559": "DNS_STATUS_SINGLE_PART_NAME", - "9560": "DNS_ERROR_INVALID_NAME_CHAR", - "9561": "DNS_ERROR_NUMERIC_NAME", - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", - "9568": "DNS_ERROR_BACKGROUND_LOADING", - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "9571": "DNS_ERROR_DELEGATION_REQUIRED", - "9572": "DNS_ERROR_INVALID_POLICY_TABLE", - "9573": "DNS_ERROR_ADDRESS_REQUIRED", - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "9602": "DNS_ERROR_NO_ZONE_INFO", - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "9607": "DNS_ERROR_ZONE_LOCKED", - "9608": "DNS_ERROR_ZONE_CREATION_FAILED", - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", - "9611": "DNS_ERROR_INVALID_ZONE_TYPE", - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", - "9615": "DNS_ERROR_WINS_INIT_FAILED", - "9616": "DNS_ERROR_NEED_WINS_SERVERS", - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", - "9618": "DNS_ERROR_SOA_DELETE_INVALID", - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED", - "9655": "DNS_ERROR_DATAFILE_PARSING", - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST", - "9702": "DNS_ERROR_RECORD_FORMAT", - "9703": "DNS_ERROR_NODE_CREATION_FAILED", - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE", - "9705": "DNS_ERROR_RECORD_TIMED_OUT", - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE", - "9707": "DNS_ERROR_CNAME_LOOP", - "9708": "DNS_ERROR_NODE_IS_CNAME", - "9709": "DNS_ERROR_CNAME_COLLISION", - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT", - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS", - "9712": "DNS_ERROR_SECONDARY_DATA", - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA", - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST", - "9715": "DNS_WARNING_PTR_CREATE_FAILED", - "9716": "DNS_WARNING_DOMAIN_UNDELETED", - "9717": "DNS_ERROR_DS_UNAVAILABLE", - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS", - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE", - "9720": "DNS_ERROR_NODE_IS_DNAME", - "9721": "DNS_ERROR_DNAME_COLLISION", - "9722": "DNS_ERROR_ALIAS_LOOP", - "9751": "DNS_INFO_AXFR_COMPLETE", - "9752": "DNS_ERROR_AXFR", - "9753": "DNS_INFO_ADDED_LOCAL_WINS", - "9801": "DNS_STATUS_CONTINUE_NEEDED", - "9851": "DNS_ERROR_NO_TCPIP", - "9852": "DNS_ERROR_NO_DNS_SERVERS", - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", - "9902": "DNS_ERROR_DP_ALREADY_EXISTS", - "9903": "DNS_ERROR_DP_NOT_ENLISTED", - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", - "9905": "DNS_ERROR_DP_NOT_AVAILABLE", - "9906": "DNS_ERROR_DP_FSMO_ERROR", - "9911": "DNS_ERROR_RRL_NOT_ENABLED", - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", - "9958": "DNS_ERROR_INVALID_SCOPE_NAME", - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", - "9960": "DNS_ERROR_DEFAULT_SCOPE", - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", - "9962": "DNS_ERROR_SCOPE_LOCKED", - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", - "9980": "DNS_ERROR_POLICY_LOCKED", - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", - "9982": "DNS_ERROR_POLICY_INVALID_NAME", - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", - "10054": "WSAECONNRESET", - "10055": "WSAENOBUFS", - "10060": "WSAETIMEDOUT", - }; - - // Windows DNS record type constants. - // https://docs.microsoft.com/en-us/windows/win32/dns/dns-constants - var dnsRecordTypes = { - "1": "A", - "2": "NS", - "3": "MD", - "4": "MF", - "5": "CNAME", - "6": "SOA", - "7": "MB", - "8": "MG", - "9": "MR", - "10": "NULL", - "11": "WKS", - "12": "PTR", - "13": "HINFO", - "14": "MINFO", - "15": "MX", - "16": "TXT", - "17": "RP", - "18": "AFSDB", - "19": "X25", - "20": "ISDN", - "21": "RT", - "22": "NSAP", - "23": "NSAPPTR", - "24": "SIG", - "25": "KEY", - "26": "PX", - "27": "GPOS", - "28": "AAAA", - "29": "LOC", - "30": "NXT", - "31": "EID", - "32": "NIMLOC", - "33": "SRV", - "34": "ATMA", - "35": "NAPTR", - "36": "KX", - "37": "CERT", - "38": "A6", - "39": "DNAME", - "40": "SINK", - "41": "OPT", - "43": "DS", - "46": "RRSIG", - "47": "NSEC", - "48": "DNSKEY", - "49": "DHCID", - "100": "UINFO", - "101": "UID", - "102": "GID", - "103": "UNSPEC", - "248": "ADDRS", - "249": "TKEY", - "250": "TSIG", - "251": "IXFR", - "252": "AXFR", - "253": "MAILB", - "254": "MAILA", - "255": "ANY", - "65281": "WINS", - "65282": "WINSR", - }; - - var setProcessNameUsingExe = function (evt) { - setProcessNameFromPath(evt, "process.executable", "process.name"); - }; - - var setParentProcessNameUsingExe = function (evt) { - setProcessNameFromPath( - evt, - "process.parent.executable", - "process.parent.name" - ); - }; - - var setProcessNameFromPath = function (evt, pathField, nameField) { - var name = evt.Get(nameField); - if (name) { - return; - } - var exe = evt.Get(pathField); - if (!exe) { - return; - } - evt.Put(nameField, path.basename(exe)); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var splitProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - }; - - var splitParentProcessArgs = function (evt) { - splitCommandLine( - evt, - "process.parent.command_line", - "process.parent.args" - ); - }; - - var addUser = function (evt) { - var id = evt.Get("winlog.user.identifier"); - if (id) { - evt.Put("user.id", id); - } - var userParts = evt.Get("winlog.event_data.User"); - if (!userParts) { - return; - } - userParts = userParts.split("\\"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.User"); - } - }; - - var setRuleName = function (evt) { - var ruleName = evt.Get("winlog.event_data.RuleName"); - if (!ruleName || ruleName === "-") { - return; - } - - evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); - }; - - var addNetworkDirection = function (evt) { - switch (evt.Get("winlog.event_data.Initiated")) { - case "true": - evt.Put("network.direction", "egress"); - break; - case "false": - evt.Put("network.direction", "ingress"); - break; - } - evt.Delete("winlog.event_data.Initiated"); - }; - - var addNetworkType = function (evt) { - switch (evt.Get("winlog.event_data.SourceIsIpv6")) { - case "true": - evt.Put("network.type", "ipv6"); - break; - case "false": - evt.Put("network.type", "ipv4"); - break; - } - evt.Delete("winlog.event_data.SourceIsIpv6"); - evt.Delete("winlog.event_data.DestinationIsIpv6"); - }; - - var setRelatedIP = function (evt) { - var sourceIP = evt.Get("source.ip"); - if (sourceIP) { - evt.AppendTo("related.ip", sourceIP); - } - - var destIP = evt.Get("destination.ip"); - if (destIP) { - evt.AppendTo("related.ip", destIP); - } - }; - - var getHashPath = function (namespace, hashKey) { - if (hashKey === "imphash") { - return namespace + ".pe.imphash"; - } - - return namespace + ".hash." + hashKey; - }; - - var emptyHashRegex = /^0*$/; - - var hashIsEmpty = function (value) { - if (!value) { - return true; - } - - return emptyHashRegex.test(value); - } - - // Adds hashes from the given hashField in the event to the 'hash' key - // in the specified namespace. It also adds all the hashes to 'related.hash'. - var addHashes = function (evt, namespace, hashField) { - var hashes = evt.Get(hashField); - if (!hashes) { - return; - } - evt.Delete(hashField); - hashes.split(",").forEach(function (hash) { - var parts = hash.split("="); - if (parts.length !== 2) { - return; - } - - var key = parts[0].toLowerCase(); - var value = parts[1].toLowerCase(); - - if (hashIsEmpty(value)) { - return; - } - - var path = getHashPath(namespace, key); - - evt.Put(path, value); - evt.AppendTo("related.hash", value); - }); - }; - - var splitFileHashes = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hashes"); - }; - - var splitFileHash = function (evt) { - addHashes(evt, "file", "winlog.event_data.Hash"); - }; - - var splitProcessHashes = function (evt) { - addHashes(evt, "process", "winlog.event_data.Hashes"); - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var translateDnsQueryStatus = function (evt) { - var statusCode = evt.Get("sysmon.dns.status"); - if (!statusCode) { - return; - } - var statusName = dnsQueryStatusCodes[statusCode]; - if (statusName === undefined) { - return; - } - evt.Put("sysmon.dns.status", statusName); - }; - - // Splits the QueryResults field that contains the DNS responses. - // Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - var splitDnsQueryResults = function (evt) { - var results = evt.Get("winlog.event_data.QueryResults"); - if (!results) { - return; - } - results = results.split(";"); - - var answers = []; - var ips = []; - for (var i = 0; i < results.length; i++) { - var answer = results[i]; - if (!answer) { - continue; - } - - if (answer.startsWith("type:")) { - var parts = answer.split(/\s+/); - if (parts.length !== 3) { - throw "unexpected QueryResult format"; - } - - answers.push({ - type: dnsRecordTypes[parts[1]], - data: parts[2], - }); - } else { - // Convert V4MAPPED addresses. - answer = answer.replace("::ffff:", ""); - if (net.isIP(answer)) { - ips.push(answer); - - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; - } - answers.push({ - type: type, - data: answer, - }); - } - } - } - - if (answers.length > 0) { - evt.Put("dns.answers", answers); - } - if (ips.length > 0) { - evt.Put("dns.resolved_ip", ips); - } - evt.Delete("winlog.event_data.QueryResults"); - }; - - var parseUtcTime = new processor.Timestamp({ - field: "winlog.event_data.UtcTime", - target_field: "winlog.event_data.UtcTime", - timezone: "UTC", - layouts: ["2006-01-02 15:04:05.999"], - tests: ["2019-06-26 21:19:43.237"], - ignore_missing: true, - }); - - var setAdditionalSignatureFields = function (evt) { - var signed = evt.Get("winlog.event_data.Signed"); - if (!signed) { - return; - } - evt.Put("file.code_signature.signed", true); - var signatureStatus = evt.Get("winlog.event_data.SignatureStatus"); - evt.Put("file.code_signature.valid", signatureStatus === "Valid"); - }; - - var setAdditionalFileFieldsFromPath = function (evt) { - var filePath = evt.Get("file.path"); - if (!filePath) { - return; - } - - evt.Put("file.name", path.basename(filePath)); - evt.Put("file.directory", path.dirname(filePath)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(filePath); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives - var commonRegistryHives = { - HKEY_CLASSES_ROOT: "HKCR", - HKCR: "HKCR", - HKEY_CURRENT_CONFIG: "HKCC", - HKCC: "HKCC", - HKEY_CURRENT_USER: "HKCU", - HKCU: "HKCU", - HKEY_DYN_DATA: "HKDD", - HKDD: "HKDD", - HKEY_LOCAL_MACHINE: "HKLM", - HKLM: "HKLM", - HKEY_PERFORMANCE_DATA: "HKPD", - HKPD: "HKPD", - HKEY_USERS: "HKU", - HKU: "HKU", - }; - - var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i"); - var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i"); - - var setRegistryFields = function (evt) { - var path = evt.Get("winlog.event_data.TargetObject"); - if (!path) { - return; - } - evt.Put("registry.path", path); - var pathTokens = path.split("\\"); - var hive = commonRegistryHives[pathTokens[0]]; - if (hive) { - evt.Put("registry.hive", hive); - pathTokens.splice(0, 1); - if (pathTokens.length > 0) { - evt.Put("registry.key", pathTokens.join("\\")); - } - } - var value = pathTokens[pathTokens.length - 1]; - evt.Put("registry.value", value); - var data = evt.Get("winlog.event_data.Details"); - if (!data) { - return; - } - // sysmon only returns details of a registry modification - // if it's a qword or dword - var dataType; - var dataValue; - var match = qwordRegex.exec(data); - if (match && match.length > 0) { - var parsedHighByte = parseInt(match[2]); - var parsedLowByte = parseInt(match[3]); - if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) { - dataValue = "" + ((parsedHighByte << 8) + parsedLowByte); - dataType = "SZ_QWORD"; - } - } else { - match = dwordRegex.exec(data); - if (match && match.length > 0) { - var parsedValue = parseInt(match[1]); - if (!isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = "" + parsedValue; - } - } - } - if (dataType) { - evt.Put("registry.data.strings", [dataValue]); - evt.Put("registry.data.type", dataType); - } - }; - - // Event ID 1 - Process Create. - var event1 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["start", "process_start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.CommandLine", - to: "process.command_line", - }, - { - from: "winlog.event_data.CurrentDirectory", - to: "process.working_directory", - }, - { - from: "winlog.event_data.ParentProcessGuid", - to: "process.parent.entity_id", - }, - { - from: "winlog.event_data.ParentProcessId", - to: "process.parent.pid", - type: "long", - }, - { - from: "winlog.event_data.ParentImage", - to: "process.parent.executable", - }, - { - from: "winlog.event_data.ParentCommandLine", - to: "process.parent.command_line", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "process.pe.original_file_name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Company", - to: "process.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "process.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "process.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "process.pe.product", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(splitProcessArgs) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setParentProcessNameUsingExe) - .Add(splitParentProcessArgs) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 2 - File creation time changed. - var event2 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 3 - Network connection detected. - var event3 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "start", "protocol"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Protocol", - to: "network.transport", - }, - { - from: "winlog.event_data.SourceIp", - to: "source.ip", - type: "ip", - }, - { - from: "winlog.event_data.SourceHostname", - to: "source.domain", - type: "string", - }, - { - from: "winlog.event_data.SourcePort", - to: "source.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationIp", - to: "destination.ip", - type: "ip", - }, - { - from: "winlog.event_data.DestinationHostname", - to: "destination.domain", - type: "string", - }, - { - from: "winlog.event_data.DestinationPort", - to: "destination.port", - type: "long", - }, - { - from: "winlog.event_data.DestinationPortName", - to: "network.protocol", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRelatedIP) - .Add(setProcessNameUsingExe) - .Add(addUser) - .Add(addNetworkDirection) - .Add(addNetworkType) - .CommunityID() - .Add(removeEmptyEventData) - .Build(); - - // Event ID 4 - Sysmon service state changed. - var event4 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 5 - Process terminated. - var event5 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["end", "process_end"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 6 - Driver loaded. - var event6 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["driver"], - type: ["start"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - ], - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 7 - Image loaded. - var event7 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.ImageLoaded", - to: "file.path", - }, - { - from: "winlog.event_data.OriginalFileName", - to: "file.pe.original_file_name", - }, - - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [{ - from: "winlog.event_data.Signature", - to: "file.code_signature.subject_name", - }, - { - from: "winlog.event_data.SignatureStatus", - to: "file.code_signature.status", - }, - { - from: "winlog.event_data.Company", - to: "file.pe.company", - }, - { - from: "winlog.event_data.Description", - to: "file.pe.description", - }, - { - from: "winlog.event_data.FileVersion", - to: "file.pe.file_version", - }, - { - from: "winlog.event_data.Product", - to: "file.pe.product", - }, - ], - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setAdditionalSignatureFields) - .Add(setProcessNameUsingExe) - .Add(splitFileHashes) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 8 - CreateRemoteThread detected. - var event8 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 9 - RawAccessRead detected. - var event9 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Device", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 10 - Process accessed. - var event10 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["process"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.SourceProcessGUID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.SourceProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.SourceThreadId", - to: "process.thread.id", - type: "long", - }, - { - from: "winlog.event_data.SourceImage", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 11 - File created. - var event11 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 12 - Registry object added or deleted. - var event12 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 13 - Registry value set. - var event13 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 14 - Registry object renamed. - var event14 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration", "registry"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setRegistryFields) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 15 - File stream created. - var event15 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setAdditionalFileFieldsFromPath) - .Add(setProcessNameUsingExe) - .Add(splitFileHash) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 16 - Sysmon config state changed. - var event16 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["configuration"], - type: ["change"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 17 - Pipe Created. - var event17 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["creation"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 18 - Pipe Connected. - var event18 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["access"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.PipeName", - to: "file.name", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 19 - WmiEventFilter activity detected. - var event19 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 20 - WmiEventConsumer activity detected. - var event20 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.Destination", - to: "process.executable", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 21 - WmiEventConsumerToFilter activity detected. - var event21 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 22 - DNSEvent (DNS query). - var event22 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["network"], - type: ["connection", "protocol", "info"], - }, - target: "event", - }) - .AddFields({ - fields: { - protocol: "dns", - }, - target: "network", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.QueryName", - to: "dns.question.name", - }, - { - from: "winlog.event_data.QueryStatus", - to: "sysmon.dns.status", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .RegisteredDomain({ - ignore_failure: true, - ignore_missing: true, - field: "dns.question.name", - target_field: "dns.question.registered_domain", - target_subdomain_field: "dns.question.subdomain", - target_etld_field: "dns.question.top_level_domain", - }) - .Add(setRuleName) - .Add(translateDnsQueryStatus) - .Add(splitDnsQueryResults) - .Add(setProcessNameUsingExe) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 23 - FileDelete (A file delete was detected). - var event23 = new processor.Chain() - .Add(parseUtcTime) - .AddFields({ - fields: { - category: ["file"], // pipes are files - type: ["deletion"], - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ProcessGuid", - to: "process.entity_id", - }, - { - from: "winlog.event_data.ProcessId", - to: "process.pid", - type: "long", - }, - { - from: "winlog.event_data.RuleName", - to: "rule.name", - }, - { - from: "winlog.event_data.TargetFilename", - to: "file.path", - }, - { - from: "winlog.event_data.Image", - to: "process.executable", - }, - { - from: "winlog.event_data.Archived", - to: "sysmon.file.archived", - type: "boolean", - }, - { - from: "winlog.event_data.IsExecutable", - to: "sysmon.file.is_executable", - type: "boolean", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setRuleName) - .Add(addUser) - .Add(splitProcessHashes) - .Add(setProcessNameUsingExe) - .Add(setAdditionalFileFieldsFromPath) - .Add(removeEmptyEventData) - .Build(); - - // Event ID 255 - Error report. - var event255 = new processor.Chain() - .Add(parseUtcTime) - .Convert({ - fields: [{ - from: "winlog.event_data.UtcTime", - to: "@timestamp", - }, - { - from: "winlog.event_data.ID", - to: "error.code", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(removeEmptyEventData) - .Build(); - - return { - 1: event1.Run, - 2: event2.Run, - 3: event3.Run, - 4: event4.Run, - 5: event5.Run, - 6: event6.Run, - 7: event7.Run, - 8: event8.Run, - 9: event9.Run, - 10: event10.Run, - 11: event11.Run, - 12: event12.Run, - 13: event13.Run, - 14: event14.Run, - 15: event15.Run, - 16: event16.Run, - 17: event17.Run, - 18: event18.Run, - 19: event19.Run, - 20: event20.Run, - 21: event21.Run, - 22: event22.Run, - 23: event23.Run, - 255: event255.Run, - - process: function (evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; - if (processor === undefined) { - throw "unexpected sysmon event_id"; - } - evt.Put("event.module", "sysmon"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return sysmon.process(evt); - } - - - script: - when.or: - - equals: - winlog.channel: Windows PowerShell - - equals: - winlog.channel: Microsoft-Windows-PowerShell/Operational - lang: javascript - id: powershell - source: |- - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - var powershell = (function () { - var path = require("path"); - var processor = require("processor"); - var windows = require("windows"); - - var normalizeCommonFieldNames = new processor.Convert({ - fields: [ - { - from: "winlog.event_data.Engine Version", - to: "winlog.event_data.EngineVersion", - }, - { - from: "winlog.event_data.Pipeline ID", - to: "winlog.event_data.PipelineId", - }, - { - from: "winlog.event_data.Runspace ID", - to: "winlog.event_data.RunspaceId", - }, - { - from: "winlog.event_data.Host Version", - to: "winlog.event_data.HostVersion", - }, - { - from: "winlog.event_data.Script Name", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Path", - to: "winlog.event_data.ScriptName", - }, - { - from: "winlog.event_data.Command Path", - to: "winlog.event_data.CommandPath", - }, - { - from: "winlog.event_data.Command Name", - to: "winlog.event_data.CommandName", - }, - { - from: "winlog.event_data.Command Type", - to: "winlog.event_data.CommandType", - }, - { - from: "winlog.event_data.User", - to: "winlog.event_data.UserId", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - - // Builds a dissect tokenizer. - // - // - chunks: number of chunks dissect needs to look for. - // - delimiter: indicates what is the delimiter between chunks, - // in addition to `\n` which is already expected. - // - sep: separator between key value pairs. - // - // example: - // For a string like "Foo=Bar\n\tBar=Baz", chunks: 2, delimiter: '\t', sep: '=' - var buildNewlineSpacedTokenizer = function (chunks, delimiter, sep) { - var tokenizer = ""; - for (var i = 0; i < chunks; i++) { - if (i !== 0) { - tokenizer += "\n%{}"; - } - tokenizer += delimiter+"%{*p"+i+"}"+sep+"%{&p"+i+"}"; - } - return tokenizer; - }; - - var dissectField = function (fromField, targetPrefix, chunks, delimiter, sep) { - return new processor.Dissect({ - field: fromField, - target_prefix: targetPrefix, - tokenizer: buildNewlineSpacedTokenizer(chunks, delimiter, sep), - fail_on_error: false, - }); - }; - - // countChunksDelimitedBy will return the number of chunks contained in a field - // that are delimited by the given delimiter. - var countChunksDelimitedBy = function(evt, fromField, delimiter) { - var str = evt.Get(fromField); - if (!str) { - return 0; - } - return str.split(delimiter).length-1; - }; - - var dissect4xxAnd600 = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter); - - dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - evt.Delete("winlog.event_data.param3"); - }; - - var dissect800Detail = function (evt) { - var delimiter = "\t"; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter); - - dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.param1"); - evt.Delete("winlog.event_data.param2"); - }; - - var dissect4103 = function (evt) { - var delimiter = " "; - var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter); - - dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt); - - // these fields contain redundant information. - evt.Delete("winlog.event_data.ContextInfo"); - evt.Delete("winlog.event_data.Severity"); - }; - - var addEngineVersion = function (evt) { - var version = evt.Get("winlog.event_data.EngineVersion"); - evt.Delete("winlog.event_data.EngineVersion"); - if (!version) { - return; - } - - evt.Put("powershell.engine.version", version); - }; - - var addPipelineID = function (evt) { - var id = evt.Get("winlog.event_data.PipelineId"); - evt.Delete("winlog.event_data.PipelineId"); - if (!id) { - return; - } - - evt.Put("powershell.pipeline_id", id); - }; - - var addRunspaceID = function (evt) { - var id = evt.Get("winlog.event_data.RunspaceId"); - evt.Delete("winlog.event_data.RunspaceId"); - if (!id) { - return; - } - - evt.Put("powershell.runspace_id", id); - }; - - var addScriptBlockID = function (evt) { - var id = evt.Get("winlog.event_data.ScriptBlockId"); - evt.Delete("winlog.event_data.ScriptBlockId"); - if (!id) { - return; - } - - evt.Put("powershell.file.script_block_id", id); - }; - - var addScriptBlockText = function (evt) { - var text = evt.Get("winlog.event_data.ScriptBlockText"); - evt.Delete("winlog.event_data.ScriptBlockText"); - if (!text) { - return; - } - - evt.Put("powershell.file.script_block_text", text); - }; - - var splitCommandLine = function (evt, source, target) { - var commandLine = evt.Get(source); - if (!commandLine) { - return; - } - evt.Put(target, windows.splitCommandLine(commandLine)); - }; - - var addProcessArgs = function (evt) { - splitCommandLine(evt, "process.command_line", "process.args"); - var args = evt.Get("process.args"); - if (args && args.length > 0) { - evt.Put("process.args_count", args.length); - } - }; - - var addExecutableVersion = function (evt) { - var version = evt.Get("winlog.event_data.HostVersion"); - evt.Delete("winlog.event_data.HostVersion"); - if (!version) { - return; - } - - evt.Put("powershell.process.executable_version", version); - }; - - var addFileInfo = function (evt) { - var scriptName = evt.Get("winlog.event_data.ScriptName"); - evt.Delete("winlog.event_data.ScriptName"); - if (!scriptName) { - return; - } - - evt.Put("file.path", scriptName); - evt.Put("file.name", path.basename(scriptName)); - evt.Put("file.directory", path.dirname(scriptName)); - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(scriptName); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var addCommandValue = function (evt) { - var value = evt.Get("winlog.event_data.CommandLine") - evt.Delete("winlog.event_data.CommandLine"); - if (!value) { - return; - } - - evt.Put("powershell.command.value", value.trim()); - }; - - var addCommandPath = function (evt) { - var commandPath = evt.Get("winlog.event_data.CommandPath"); - evt.Delete("winlog.event_data.CommandPath"); - if (!commandPath) { - return; - } - - evt.Put("powershell.command.path", commandPath); - }; - - var addCommandName = function (evt) { - var commandName = evt.Get("winlog.event_data.CommandName"); - evt.Delete("winlog.event_data.CommandName"); - if (!commandName) { - return; - } - - evt.Put("powershell.command.name", commandName); - }; - - var addCommandType = function (evt) { - var commandType = evt.Get("winlog.event_data.CommandType"); - evt.Delete("winlog.event_data.CommandType"); - if (!commandType) { - return; - } - - evt.Put("powershell.command.type", commandType); - }; - - var detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - var parameterBindingRegex = /^.*name\=(.+);\s*value\=(.+)$/ - - // Parses a command invocation detail raw line, and converts it to an object, based on its type. - // - // - for unexpectedly formatted ones: {value: "the raw line as it is"} - // - for all: - // * related_command: describes to what command it is related to - // * value: the value for that detail line - // * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - // - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - var parseRawDetail = function (raw) { - var matches = detailRegex.exec(raw); - if (!matches || matches.length !== 4) { - return {value: raw}; - } - - if (matches[1] !== "ParameterBinding") { - return {type: matches[1], related_command: matches[2], value: matches[3]}; - } - - var nameValMatches = parameterBindingRegex.exec(matches[3]); - if (!nameValMatches || nameValMatches.length !== 3) { - return {value: matches[3]}; - } - - return { - type: matches[1], - related_command: matches[2], - name: nameValMatches[1], - value: nameValMatches[2], - }; - }; - - var addCommandInvocationDetails = function (evt, from) { - var rawDetails = evt.Get(from); - if (!rawDetails) { - return; - } - - var details = []; - rawDetails.split("\n").forEach(function (raw) { - details.push(parseRawDetail(raw)); - }); - - if (details.length === 0) { - return; - } - - evt.Delete(from); - evt.Put("powershell.command.invocation_details", details); - }; - - var addCommandInvocationDetailsForEvent800 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.param3"); - }; - - var addCommandInvocationDetailsForEvent4103 = function (evt) { - addCommandInvocationDetails(evt, "winlog.event_data.Payload"); - }; - - var addUser = function (evt) { - var userParts = evt.Get("winlog.event_data.UserId").split("\\"); - evt.Delete("winlog.event_data.UserId"); - if (userParts.length === 2) { - evt.Put("user.domain", userParts[0]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var addConnectedUser = function (evt) { - var userParts = evt.Get("winlog.event_data.Connected User").split("\\"); - evt.Delete("winlog.event_data.Connected User"); - if (userParts.length === 2) { - evt.Put("powershell.connected_user.domain", userParts[0]); - if (evt.Get("user.domain")) { - evt.Put("destination.user.domain", evt.Get("user.domain")); - } - evt.Put("source.user.domain", userParts[0]); - evt.Put("user.domain", userParts[0]); - - evt.Put("powershell.connected_user.name", userParts[1]); - if (evt.Get("user.name")) { - evt.Put("destination.user.name", evt.Get("user.name")); - } - evt.Put("source.user.name", userParts[1]); - evt.Put("user.name", userParts[1]); - evt.AppendTo("related.user", userParts[1]); - } - }; - - var removeEmptyEventData = function (evt) { - var eventData = evt.Get("winlog.event_data"); - if (eventData && Object.keys(eventData).length === 0) { - evt.Delete("winlog.event_data"); - } - }; - - var event4xxAnd600Common = new processor.Chain() - .Add(dissect4xxAnd600) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.NewEngineState", - to: "powershell.engine.new_state", - }, - { - from: "winlog.event_data.PreviousEngineState", - to: "powershell.engine.previous_state", - }, - { - from: "winlog.event_data.NewProviderState", - to: "powershell.provider.new_state", - }, - { - from: "winlog.event_data.ProviderName", - to: "powershell.provider.name", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(removeEmptyEventData) - .Build(); - - var event400 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event403 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event600 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Add(event4xxAnd600Common) - .Build() - - var event800 = new processor.Chain() - .Add(dissect800Detail) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.SequenceNumber", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.HostId", - to: "process.entity_id", - }, - { - from: "winlog.event_data.HostApplication", - to: "process.command_line", - }, - { - from: "winlog.event_data.HostName", - to: "process.title", - }, - { - from: "winlog.event_data.DetailTotal", - to: "powershell.total", - type: "long", - }, - { - from: "winlog.event_data.DetailSequence", - to: "powershell.sequence", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addCommandInvocationDetailsForEvent800) - .Add(removeEmptyEventData) - .Build(); - - var event4103 = new processor.Chain() - .Add(dissect4103) - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.Sequence Number", - to: "event.sequence", - type: "long", - }, - { - from: "winlog.event_data.Host ID", - to: "process.entity_id", - }, - { - from: "winlog.event_data.Host Application", - to: "process.command_line", - }, - { - from: "winlog.event_data.Host Name", - to: "process.title", - }, - { - from: "winlog.event_data.Shell ID", - to: "powershell.id", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addEngineVersion) - .Add(addPipelineID) - .Add(addRunspaceID) - .Add(addProcessArgs) - .Add(addExecutableVersion) - .Add(addFileInfo) - .Add(addCommandValue) - .Add(addCommandPath) - .Add(addCommandName) - .Add(addCommandType) - .Add(addUser) - .Add(addConnectedUser) - .Add(addCommandInvocationDetailsForEvent4103) - .Add(removeEmptyEventData) - .Build(); - - var event4104 = new processor.Chain() - .AddFields({ - fields: { - category: ["process"], - type: ["info"], - }, - target: "event", - }) - .Convert({ - fields: [ - { - from: "winlog.event_data.MessageNumber", - to: "powershell.sequence", - type: "long", - }, - { - from: "winlog.event_data.MessageTotal", - to: "powershell.total", - type: "long", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Add(normalizeCommonFieldNames) - .Add(addFileInfo) - .Add(addScriptBlockID) - .Add(addScriptBlockText) - .Add(removeEmptyEventData) - .Build(); - - var event4105And4106Common = new processor.Chain() - .Add(addRunspaceID) - .Add(addScriptBlockID) - .Add(removeEmptyEventData) - .Convert({ - fields: [ - { - from: "winlog.user.identifier", - to: "user.id", - type: "string", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false, - }) - .Build(); - - var event4105 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["start"], - }, - target: "event", - }) - .Build(); - - var event4106 = new processor.Chain() - .Add(event4105And4106Common) - .AddFields({ - fields: { - category: ["process"], - type: ["end"], - }, - target: "event", - }) - .Build(); - - return { - 400: event400.Run, - 403: event403.Run, - 600: event600.Run, - 800: event800.Run, - 4103: event4103.Run, - 4104: event4104.Run, - 4105: event4105.Run, - 4106: event4106.Run, - - process: function(evt) { - var eventId = evt.Get("winlog.event_id"); - var processor = this[eventId]; - if (processor === undefined) { - return; - } - evt.Put("event.module", "powershell"); - processor(evt); - }, - }; - })(); - - function process(evt) { - return powershell.process(evt); - } diff --git a/packages/windows/0.7.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.7.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 15290547b8..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Windows forewarded Event Logs -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.7.0/data_stream/forwarded/fields/agent.yml b/packages/windows/0.7.0/data_stream/forwarded/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/forwarded/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/forwarded/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.7.0/data_stream/forwarded/fields/ecs.yml b/packages/windows/0.7.0/data_stream/forwarded/fields/ecs.yml deleted file mode 100755 index 5b76041236..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/fields/ecs.yml +++ /dev/null @@ -1,492 +0,0 @@ -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: parent.args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - default_field: false - - name: parent.args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: parent.command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: parent.entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - default_field: false - - name: parent.hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: parent.hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: parent.hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: parent.hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - default_field: false - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - default_field: false - - name: parent.pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: parent.pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: parent.pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: parent.pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: parent.pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: parent.pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: parent.pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: parent.pid - type: long - format: string - description: Process id. - default_field: false - - name: parent.start - type: date - description: The time the process started. - default_field: false - - name: parent.title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process title.' - default_field: false - - name: pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - default_field: false - - name: pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - default_field: false - - name: pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - default_field: false - - name: pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - default_field: false - - name: pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - default_field: false - - name: pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - default_field: false - - name: pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - default_field: false - - name: pid - type: long - format: string - description: Process id. - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - - name: working_directory - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: The working directory of the process. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - default_field: false - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - default_field: false -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false -- name: dns - title: DNS - group: 2 - type: group - fields: - - name: answers - type: object - description: 'An array containing an object for each answer section returned by the server.' - - name: answers.class - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - - name: answers.data - type: keyword - ignore_above: 1024 - description: 'The data describing the resource.' - - name: answers.name - type: keyword - ignore_above: 1024 - description: 'The domain name to which this resource record pertains.' - - name: answers.ttl - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - name: answers.type - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - - name: header_flags - type: keyword - ignore_above: 1024 - description: 'Array of 2 letter DNS header flags.' - - name: id - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: op_code - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - - name: question.class - type: keyword - ignore_above: 1024 - description: The class of records being queried. - - name: question.name - type: keyword - ignore_above: 1024 - description: 'The name being queried.' - - name: question.registered_domain - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain.' - - name: question.subdomain - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain.' - - name: question.top_level_domain - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' - - name: question.type - type: keyword - ignore_above: 1024 - description: The type of record being queried. - - name: resolved_ip - type: ip - description: 'Array containing all IPs seen in `answers.data`.' - - name: response_code - type: keyword - ignore_above: 1024 - description: The DNS response code. - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of DNS event captured, query or answer.' -- name: network - title: Network - type: group - fields: - - name: protocol - type: keyword - ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.' -- name: rule - title: Rule - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: The name of the rule or signature generating the event. - default_field: false diff --git a/packages/windows/0.7.0/data_stream/forwarded/fields/fields.yml b/packages/windows/0.7.0/data_stream/forwarded/fields/fields.yml deleted file mode 100755 index d869b147a9..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/fields/fields.yml +++ /dev/null @@ -1,170 +0,0 @@ -- name: sysmon.dns.status - type: keyword - description: Windows status code returned for the DNS query. -- name: sysmon.file.archived - type: boolean - description: Indicates if the deleted file was archived. -- name: sysmon.file.is_executable - type: boolean - description: Indicates if the deleted file was an executable. -- name: winlog.logon - type: group - description: Data related to a Windows logon. - fields: - - name: type - type: keyword - description: > - Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. - - example: RemoteInteractive - - name: id - type: keyword - description: > - Logon ID that can be used to associate this logon with other events related to the same logon session. - - - name: failure.reason - type: keyword - description: > - The reason the logon failed. - - - name: failure.status - type: keyword - description: > - The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. - - - name: failure.sub_status - type: keyword - description: > - Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. - -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.7.0/data_stream/forwarded/fields/winlog.yml b/packages/windows/0.7.0/data_stream/forwarded/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.7.0/data_stream/forwarded/manifest.yml b/packages/windows/0.7.0/data_stream/forwarded/manifest.yml deleted file mode 100755 index 68bb95c32b..0000000000 --- a/packages/windows/0.7.0/data_stream/forwarded/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows forwarded events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Forwarded - description: 'Collect ForwardedEvents channel logs' - - input: httpjson - title: Windows ForwardedEvents via Splunk Enterprise REST API - description: Collect ForwardedEvents via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:ForwardedEvents\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.7.0/data_stream/perfmon/agent/stream/stream.yml.hbs b/packages/windows/0.7.0/data_stream/perfmon/agent/stream/stream.yml.hbs deleted file mode 100755 index 142d2d803e..0000000000 --- a/packages/windows/0.7.0/data_stream/perfmon/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,6 +0,0 @@ -metricsets: ["perfmon"] -condition: ${host.platform} == 'windows' -perfmon.group_measurements_by_instance: {{perfmon.group_measurements_by_instance}} -perfmon.ignore_non_existent_counters: {{perfmon.ignore_non_existent_counters}} -perfmon.queries: {{perfmon.queries}} -period: {{period}} diff --git a/packages/windows/0.7.0/data_stream/perfmon/fields/agent.yml b/packages/windows/0.7.0/data_stream/perfmon/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/perfmon/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/perfmon/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/perfmon/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/windows/0.7.0/data_stream/perfmon/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.7.0/data_stream/perfmon/fields/fields.yml b/packages/windows/0.7.0/data_stream/perfmon/fields/fields.yml deleted file mode 100755 index c5cca6fc04..0000000000 --- a/packages/windows/0.7.0/data_stream/perfmon/fields/fields.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: windows.perfmon - type: group - fields: - - name: object - type: keyword - description: | - Object value. - - name: instance - type: keyword - description: | - Instance value. - - name: metrics.*.* - type: object - description: | - Metric values returned. diff --git a/packages/windows/0.7.0/data_stream/perfmon/manifest.yml b/packages/windows/0.7.0/data_stream/perfmon/manifest.yml deleted file mode 100755 index a3117039b7..0000000000 --- a/packages/windows/0.7.0/data_stream/perfmon/manifest.yml +++ /dev/null @@ -1,46 +0,0 @@ -title: Windows perfmon metrics -release: experimental -type: metrics -streams: - - input: windows/metrics - vars: - - name: perfmon.group_measurements_by_instance - type: bool - title: Perfmon Group Measurements By Instance - multi: false - required: false - show_user: true - default: false - description: Enabling this option will send all measurements with a matching perfmon instance as part of a single event - - name: perfmon.ignore_non_existent_counters - type: bool - title: Perfmon Ignore Non Existent Counters - multi: false - required: false - show_user: true - default: false - description: Enabling this option will make sure to ignore any errors caused by counters that do not exist - - name: perfmon.queries - type: yaml - title: Perfmon Queries - multi: false - required: true - show_user: true - default: | - - object: 'Process' - instance: ["*"] - counters: - - name: '% Processor Time' - field: cpu_perc - format: "float" - - name: "Working Set" - description: Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 10s - title: Windows perfmon metrics - description: Collect Windows perfmon metrics diff --git a/packages/windows/0.7.0/data_stream/powershell/agent/stream/httpjson.yml.hbs b/packages/windows/0.7.0/data_stream/powershell/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 158e9245d0..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true diff --git a/packages/windows/0.7.0/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/0.7.0/data_stream/powershell/agent/stream/winlog.yml.hbs deleted file mode 100755 index 1c9094d489..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Windows PowerShell -condition: ${host.platform} == 'windows' -event_id: 400, 403, 600, 800 diff --git a/packages/windows/0.7.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.7.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4eb38cdb95..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,433 +0,0 @@ ---- -description: Pipeline for Windows Powershell events -processors: - - kv: - description: Split Event 800 event data fields. - field: winlog.event_data.param2 - target_field: winlog.event_data - field_split: "\n\t" - trim_key: "\n\t" - trim_value: "\n\t" - value_split: "=" - if: ctx?.winlog?.event_id == "800" - - kv: - description: Split Events 4xx and 600 event data fields. - field: winlog.event_data.param3 - target_field: winlog.event_data - field_split: "\n\t" - trim_key: "\n\t" - trim_value: "\n\t" - value_split: "=" - if: ctx?.winlog?.event_id != "800" - - ## ECS and Event fields. - - - set: - field: ecs.version - value: 1.9.0 - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: event.kind - value: event - - set: - field: event.code - value: '{{winlog.event_id}}' - - set: - field: event.category - value: process - - set: - field: event.type - value: start - if: ctx?.event.code == "400" - - set: - field: event.type - value: end - if: ctx?.event.code == "403" - - set: - field: event.type - value: info - if: ctx?.event?.type == null - - convert: - field: winlog.event_data.SequenceNumber - target_field: event.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.record_id - type: string - ignore_failure: true - ignore_missing: true - - ## Process fields. - - - rename: - field: winlog.event_data.HostId - target_field: process.entity_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostId != "" - - rename: - field: winlog.event_data.HostApplication - target_field: process.command_line - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostApplication != "" - - rename: - field: winlog.event_data.HostName - target_field: process.title - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostName != "" - - ## User fields. - - - split: - field: winlog.event_data.UserId - target_field: "_temp.user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.UserId != null - - set: - field: user.domain - value: "{{_temp.user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.name - value: "{{_temp.user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.user?.name != null - - ## PowerShell fields. - - - rename: - field: winlog.event_data.NewEngineState - target_field: powershell.engine.new_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.NewEngineState != "" - - rename: - field: winlog.event_data.PreviousEngineState - target_field: powershell.engine.previous_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.PreviousEngineState != "" - - rename: - field: winlog.event_data.NewProviderState - target_field: powershell.provider.new_state - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.NewProviderState != "" - - rename: - field: winlog.event_data.ProviderName - target_field: powershell.provider.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ProviderName != "" - - convert: - field: winlog.event_data.DetailTotal - target_field: powershell.total - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DetailTotal != "" - - convert: - field: winlog.event_data.DetailSequence - target_field: powershell.sequence - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DetailSequence != "" - - rename: - field: winlog.event_data.EngineVersion - target_field: powershell.engine.version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.EngineVersion != "" - - rename: - field: winlog.event_data.PipelineId - target_field: powershell.pipeline_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.PipelineId != "" - - rename: - field: winlog.event_data.RunspaceId - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceId != "" - - rename: - field: winlog.event_data.HostVersion - target_field: powershell.process.executable_version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.HostVersion != "" - - rename: - field: winlog.event_data.CommandLine - target_field: powershell.command.value - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandLine != "" - - rename: - field: winlog.event_data.CommandPath - target_field: powershell.command.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandPath != "" - - rename: - field: winlog.event_data.CommandName - target_field: powershell.command.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandName != "" - - rename: - field: winlog.event_data.CommandType - target_field: powershell.command.type - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandType != "" - - - split: - description: Split Event 800 command invocation details. - field: winlog.event_data.param3 - separator: "\n" - ignore_failure: true - ignore_missing: true - if: ctx.event.code == "800" - - script: - description: |- - Parses all command invocation detail raw lines, and converts them to an object, based on their type. - - for unexpectedly formatted ones: {value: "the raw line as it is"} - - for all: - * related_command: describes to what command it is related to - * value: the value for that detail line - * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - lang: painless - if: ctx.event.code == "800" - params: - field: param3 - source: |- - def parseRawDetail(String raw) { - Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; - - def matcher = detailRegex.matcher(raw); - if (!matcher.matches()) { - return ["value": raw]; - } - def matches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - matches.add(matcher.group(i)); - } - - if (matches.length != 4) { - return ["value": raw]; - } - - if (matches[1] != "ParameterBinding") { - return [ - "type": matches[1], - "related_command": matches[2], - "value": matches[3] - ]; - } - - matcher = parameterBindingRegex.matcher(matches[3]); - if (!matcher.matches()) { - return ["value": matches[4]]; - } - def nameValMatches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - nameValMatches.add(matcher.group(i)); - } - if (nameValMatches.length !== 3) { - return ["value": matches[3]]; - } - - return [ - "type": matches[1], - "related_command": matches[2], - "name": nameValMatches[1], - "value": nameValMatches[2] - ]; - } - - if (ctx?._temp == null) { - ctx._temp = new HashMap(); - } - - if (ctx._temp.details == null) { - ctx._temp.details = new ArrayList(); - } - - def values = ctx?.winlog?.event_data[params["field"]]; - if (values != null && values.length > 0) { - for (v in values) { - ctx._temp.details.add(parseRawDetail(v)); - } - } - - rename: - field: _temp.details - target_field: powershell.command.invocation_details - if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 - - - script: - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx?.process?.command_line != null && ctx.process.command_line != "" - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - script: - description: Adds file information. - lang: painless - if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 - source: |- - def path = ctx.winlog.event_data.ScriptName; - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - if (ctx?.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - } - - rename: - field: winlog.event_data.ScriptName - target_field: file.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptName != "" - - ## Cleanup. - - - remove: - field: - - _temp - - winlog.event_data.param1 - - winlog.event_data.param2 - - winlog.event_data.param3 - - winlog.event_data.SequenceNumber - - winlog.event_data.DetailTotal - - winlog.event_data.DetailSequence - - winlog.event_data.UserId - - winlog.time_created - - winlog.level - ignore_missing: true - ignore_failure: true - - script: - description: Remove all empty values from event_data. - lang: painless - source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); - - remove: - description: Remove empty event data. - field: winlog.event_data - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.7.0/data_stream/powershell/fields/agent.yml b/packages/windows/0.7.0/data_stream/powershell/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/powershell/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/powershell/fields/base-fields.yml deleted file mode 100755 index 780043c0f6..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/windows/0.7.0/data_stream/powershell/fields/ecs.yml b/packages/windows/0.7.0/data_stream/powershell/fields/ecs.yml deleted file mode 100755 index 9dae9c45c8..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/fields/ecs.yml +++ /dev/null @@ -1,227 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. -- name: file - title: File - type: group - fields: - - description: Name of the file including the extension, without the directory. - name: name - type: keyword - - name: directory - type: keyword - ignore_above: 1024 - description: Directory where the file is located. It should include the drive letter, when appropriate. - - name: extension - type: keyword - ignore_above: 1024 - description: 'File extension, excluding the leading dot.' - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: source - title: Source - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: destination - title: Destination - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/windows/0.7.0/data_stream/powershell/fields/fields.yml b/packages/windows/0.7.0/data_stream/powershell/fields/fields.yml deleted file mode 100755 index 28b9093f74..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/fields/fields.yml +++ /dev/null @@ -1,131 +0,0 @@ -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.7.0/data_stream/powershell/fields/winlog.yml b/packages/windows/0.7.0/data_stream/powershell/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.7.0/data_stream/powershell/manifest.yml b/packages/windows/0.7.0/data_stream/powershell/manifest.yml deleted file mode 100755 index 1ca463afa2..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Powershell logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Powershell - description: 'Windows Powershell channel' - - input: httpjson - title: Windows Powershell Events via Splunk Enterprise REST API - description: Collect Powershell Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Windows PowerShell\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs b/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 158e9245d0..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs deleted file mode 100755 index 4c5b128d6d..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -name: Microsoft-Windows-PowerShell/Operational -condition: ${host.platform} == 'windows' -event_id: 4103, 4104, 4105, 4106 \ No newline at end of file diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.7.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 94e31d90d8..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,492 +0,0 @@ ---- -description: Pipeline for Windows Powershell/Operational events -processors: - - kv: - description: Split Event 4103 event data fields. - field: winlog.event_data.ContextInfo - target_field: winlog.event_data - field_split: "\n" - trim_key: " \n\t" - trim_value: " \n\t" - value_split: "=" - if: ctx?.winlog?.event_id == "4103" - - script: - description: Remove spaces from all event_data keys. - lang: painless - if: ctx?.winlog?.event_data != null - source: |- - def newEventData = new HashMap(); - for (entry in ctx.winlog.event_data.entrySet()) { - def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); - newEventData.put(newKey, entry.getValue()); - } - ctx.winlog.event_data = newEventData; - - ## ECS and Event fields. - - - set: - field: ecs.version - value: 1.9.0 - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: event.kind - value: event - - set: - field: event.code - value: '{{winlog.event_id}}' - - set: - field: event.category - value: process - - set: - field: event.type - value: start - if: ctx?.event.code == "4105" - - set: - field: event.type - value: end - if: ctx?.event.code == "4106" - - set: - field: event.type - value: info - if: ctx?.event?.type == null - - convert: - field: winlog.event_data.SequenceNumber - target_field: event.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.record_id - type: string - ignore_failure: true - ignore_missing: true - - ## Process fields. - - - rename: - field: winlog.event_data.HostID - target_field: process.entity_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostID != "" - - rename: - field: winlog.event_data.HostApplication - target_field: process.command_line - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostApplication != "" - - rename: - field: winlog.event_data.HostName - target_field: process.title - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.HostName != "" - - ## User fields. - - - set: - field: user.id - copy_from: winlog.user.identifier - ignore_failure: true - ignore_empty_value: true - - split: - field: winlog.event_data.User - target_field: "_temp.user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.User != null - - set: - field: user.domain - value: "{{_temp.user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.name - value: "{{_temp.user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.user?.name != null - - split: - field: winlog.event_data.ConnectedUser - target_field: "_temp.connected_user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.ConnectedUser != null - - set: - field: source.user.domain - value: "{{_temp.connected_user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 - - set: - field: source.user.name - value: "{{_temp.connected_user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 - - append: - field: related.user - value: "{{source.user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.user?.name != null - - rename: - field: user.domain - target_field: destination.user.domain - ignore_failure: true - ignore_missing: true - if: ctx?.source?.user != null - - rename: - field: user.name - target_field: destination.user.name - ignore_failure: true - ignore_missing: true - if: ctx?.source?.user != null - - set: - field: user.domain - copy_from: source.user.domain - ignore_failure: true - ignore_empty_value: true - if: ctx?.source?.user != null - - set: - field: user.name - copy_from: source.user.name - ignore_failure: true - ignore_empty_value: true - if: ctx?.source?.user != null - - ## PowerShell fields. - - - convert: - field: winlog.event_data.MessageNumber - target_field: powershell.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: winlog.event_data.MessageTotal - target_field: powershell.total - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: winlog.event_data.ShellID - target_field: powershell.id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ShellID != "" - - rename: - field: winlog.event_data.EngineVersion - target_field: powershell.engine.version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.EngineVersion != "" - - rename: - field: winlog.event_data.PipelineID - target_field: powershell.pipeline_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.PipelineID != "" - - rename: - field: winlog.event_data.RunspaceID - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceID != "" - - rename: - field: winlog.event_data.RunspaceId - target_field: powershell.runspace_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RunspaceId != "" - - rename: - field: winlog.event_data.HostVersion - target_field: powershell.process.executable_version - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.HostVersion != "" - - rename: - field: winlog.event_data.CommandLine - target_field: powershell.command.value - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandLine != "" - - rename: - field: winlog.event_data.CommandPath - target_field: powershell.command.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandPath != "" - - rename: - field: winlog.event_data.CommandName - target_field: powershell.command.name - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandName != "" - - rename: - field: winlog.event_data.CommandType - target_field: powershell.command.type - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.CommandType != "" - - rename: - field: winlog.event_data.ScriptBlockId - target_field: powershell.file.script_block_id - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptBlockId != "" - - rename: - field: winlog.event_data.ScriptBlockText - target_field: powershell.file.script_block_text - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptBlockText != "" - - - split: - description: Split Event 800 command invocation details. - field: winlog.event_data.Payload - separator: "\n" - ignore_failure: true - ignore_missing: true - if: ctx.event.code == "4103" - - script: - description: |- - Parses all command invocation detail raw lines, and converts them to an object, based on their type. - - for unexpectedly formatted ones: {value: "the raw line as it is"} - - for all: - * related_command: describes to what command it is related to - * value: the value for that detail line - * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError - - additionally, ParameterBinding adds a `name` field with the parameter name being bound. - lang: painless - if: ctx.event.code == "4103" - params: - field: Payload - source: |- - def parseRawDetail(String raw) { - Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; - Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; - - def matcher = detailRegex.matcher(raw); - if (!matcher.matches()) { - return ["value": raw]; - } - def matches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - matches.add(matcher.group(i)); - } - - if (matches.length != 4) { - return ["value": raw]; - } - - if (matches[1] != "ParameterBinding") { - return [ - "type": matches[1], - "related_command": matches[2], - "value": matches[3] - ]; - } - - matcher = parameterBindingRegex.matcher(matches[3]); - if (!matcher.matches()) { - return ["value": matches[4]]; - } - def nameValMatches = new ArrayList(); - for (def i = 0; i <= matcher.groupCount(); i++) { - nameValMatches.add(matcher.group(i)); - } - if (nameValMatches.length !== 3) { - return ["value": matches[3]]; - } - - return [ - "type": matches[1], - "related_command": matches[2], - "name": nameValMatches[1], - "value": nameValMatches[2] - ]; - } - - if (ctx?._temp == null) { - ctx._temp = new HashMap(); - } - - if (ctx._temp.details == null) { - ctx._temp.details = new ArrayList(); - } - - def values = ctx?.winlog?.event_data[params["field"]]; - if (values != null && values.length > 0) { - for (v in values) { - ctx._temp.details.add(parseRawDetail(v)); - } - } - - rename: - field: _temp.details - target_field: powershell.command.invocation_details - if: ctx?._temp?.details != null && ctx?._temp?.details.length > 0 - - - script: - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx?.process?.command_line != null && ctx.process.command_line != "" - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - rename: - field: winlog.event_data.Path - target_field: winlog.event_data.ScriptName - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.Path != "" - - script: - description: Adds file information. - lang: painless - if: ctx?.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 - source: |- - def path = ctx.winlog.event_data.ScriptName; - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - if (ctx?.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - } - - rename: - field: winlog.event_data.ScriptName - target_field: file.path - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ScriptName != "" - - ## Cleanup. - - - remove: - field: - - _temp - - winlog.event_data.SequenceNumber - - winlog.event_data.User - - winlog.event_data.ConnectedUser - - winlog.event_data.ContextInfo - - winlog.event_data.Severity - - winlog.event_data.MessageTotal - - winlog.event_data.MessageNumber - - winlog.event_data.Payload - - winlog.time_created - - winlog.level - ignore_missing: true - ignore_failure: true - - script: - description: Remove all empty values from event_data. - lang: painless - source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); - - remove: - description: Remove empty event data. - field: winlog.event_data - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/fields/agent.yml b/packages/windows/0.7.0/data_stream/powershell_operational/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/powershell_operational/fields/base-fields.yml deleted file mode 100755 index 780043c0f6..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/0.7.0/data_stream/powershell_operational/fields/ecs.yml deleted file mode 100755 index 9dae9c45c8..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/fields/ecs.yml +++ /dev/null @@ -1,227 +0,0 @@ -- name: ecs.version - type: keyword - description: ECS version -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - default_field: false - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - default_field: false - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - default_field: false - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - default_field: false - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Absolute path to the process executable. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process name.' - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: 'Process title.' - - name: pid - type: long - description: Process PID. -- name: file - title: File - type: group - fields: - - description: Name of the file including the extension, without the directory. - name: name - type: keyword - - name: directory - type: keyword - ignore_above: 1024 - description: Directory where the file is located. It should include the drive letter, when appropriate. - - name: extension - type: keyword - ignore_above: 1024 - description: 'File extension, excluding the leading dot.' - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: source - title: Source - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: destination - title: Destination - type: group - fields: - - name: user.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: user.id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: user.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - default_field: false - - name: hosts - type: keyword - ignore_above: 1024 - default_field: false - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 - default_field: false diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/fields/fields.yml b/packages/windows/0.7.0/data_stream/powershell_operational/fields/fields.yml deleted file mode 100755 index 28b9093f74..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/fields/fields.yml +++ /dev/null @@ -1,131 +0,0 @@ -- name: powershell.id - type: keyword - description: Shell Id. - example: Microsoft Powershell -- name: powershell.pipeline_id - type: keyword - description: Pipeline id. - example: "1" -- name: powershell.runspace_id - type: keyword - description: Runspace id. - example: "4fa9074d-45ab-4e53-9195-e91981ac2bbb" -- name: powershell.sequence - type: long - description: Sequence number of the powershell execution. - example: 1 -- name: powershell.total - type: long - description: Total number of messages in the sequence. - example: 10 -- name: powershell.command - type: group - description: Data related to the executed command. - fields: - - name: path - type: keyword - description: Path of the executed command. - example: "C:\\Windows\\system32\\cmd.exe" - - name: name - type: keyword - description: Name of the executed command. - example: "cmd.exe" - - name: type - type: keyword - description: Type of the executed command. - example: Application - - name: value - type: text - description: The invoked command. - example: Import-LocalizedData LocalizedData -filename ArchiveResources - - name: invocation_details - type: array - description: > - An array of objects containing detailed information of the executed command. - - - name: invocation_details.type - type: keyword - description: The type of detail. - example: CommandInvocation - - name: invocation_details.related_command - type: keyword - description: The command to which the detail is related to. - example: Add-Type - - name: invocation_details.name - type: keyword - description: > - Only used for ParameterBinding detail type. Indicates the parameter name. - - example: AssemblyName - - name: invocation_details.value - type: text - description: > - The value of the detail. The meaning of it will depend on the detail type. - - example: System.IO.Compression.FileSystem -- name: powershell.connected_user - type: group - description: Data related to the connected user executing the command. - fields: - - name: domain - type: keyword - description: User domain. - example: VAGRANT - - name: name - type: keyword - description: User name. - example: vagrant -- name: powershell.engine - type: group - description: Data related to the PowerShell engine. - fields: - - name: version - type: keyword - description: Version of the PowerShell engine version used to execute the command. - example: "5.1.17763.1007" - - name: previous_state - type: keyword - description: > - Previous state of the PowerShell engine. - - example: Available - - name: new_state - type: keyword - description: > - New state of the PowerShell engine. - - example: Stopped -- name: powershell.file - type: group - description: Data related to the executed script file. - fields: - - name: script_block_id - type: keyword - description: Id of the executed script block. - example: "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - - name: script_block_text - type: text - description: > - Text of the executed script block. - - example: ".\\a_script.ps1" -- name: powershell.process.executable_version - type: keyword - description: Version of the engine hosting process executable. - example: "5.1.17763.1007" -- name: powershell.provider - type: group - description: Data related to the PowerShell engine host. - fields: - - name: new_state - type: keyword - description: > - New state of the PowerShell provider. - - example: Active - - name: name - type: keyword - description: > - Provider name. - - example: Variable diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/fields/winlog.yml b/packages/windows/0.7.0/data_stream/powershell_operational/fields/winlog.yml deleted file mode 100755 index 4ac76fdcdc..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/fields/winlog.yml +++ /dev/null @@ -1,361 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: Company - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.7.0/data_stream/powershell_operational/manifest.yml b/packages/windows/0.7.0/data_stream/powershell_operational/manifest.yml deleted file mode 100755 index 270973492e..0000000000 --- a/packages/windows/0.7.0/data_stream/powershell_operational/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Powershell/Operational logs -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Powershell Operational - description: 'Microsoft-Windows-Powershell/Operational channel' - - input: httpjson - title: Windows Powershell Operational Events via Splunk Enterprise REST API - description: Collect Powershell Operational Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Powershell/Operational\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.7.0/data_stream/service/agent/stream/stream.yml.hbs b/packages/windows/0.7.0/data_stream/service/agent/stream/stream.yml.hbs deleted file mode 100755 index d01c1b05cd..0000000000 --- a/packages/windows/0.7.0/data_stream/service/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,3 +0,0 @@ -metricsets: ["service"] -condition: ${host.platform} == 'windows' -period: {{period}} diff --git a/packages/windows/0.7.0/data_stream/service/fields/agent.yml b/packages/windows/0.7.0/data_stream/service/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/service/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/service/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/service/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/windows/0.7.0/data_stream/service/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.7.0/data_stream/service/fields/fields.yml b/packages/windows/0.7.0/data_stream/service/fields/fields.yml deleted file mode 100755 index 7618a693c4..0000000000 --- a/packages/windows/0.7.0/data_stream/service/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: windows.service - type: group - fields: - - name: id - type: keyword - description: | - A unique ID for the service. It is a hash of the machine's GUID and the service name. - - name: name - type: keyword - description: | - The service name. - - name: display_name - type: keyword - description: | - The display name of the service. - - name: start_type - type: keyword - description: | - The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. - - name: start_name - type: keyword - description: | - Account name under which a service runs. - - name: path_name - type: keyword - description: | - Fully qualified path to the file that implements the service, including arguments. - - name: state - type: keyword - description: | - The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. - - name: exit_code - type: keyword - description: | - For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. - - name: pid - type: long - description: | - For `Running` services this is the associated process PID. - - name: uptime.ms - type: long - format: duration - description: | - The service's uptime specified in milliseconds. diff --git a/packages/windows/0.7.0/data_stream/service/manifest.yml b/packages/windows/0.7.0/data_stream/service/manifest.yml deleted file mode 100755 index 7602152093..0000000000 --- a/packages/windows/0.7.0/data_stream/service/manifest.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Windows service metrics -release: experimental -type: metrics -streams: - - input: windows/metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - title: Windows service metrics - description: Collect Windows service metrics diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs b/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 158e9245d0..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: |- - {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -response.decode_as: application/x-ndjson -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains tags "forwarded"}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - decode_json_fields: - fields: message - target: json - add_error_key: true - - drop_event: - when: - not: - has_fields: ['json.result'] - - fingerprint: - fields: - - json.result._cd - - json.result._indextime - - json.result._raw - - json.result._time - - json.result.host - - json.result.source - target_field: "@metadata._id" - - drop_fields: - fields: message - - rename: - fields: - - from: json.result._raw - to: event.original - - from: json.result.host - to: host.name - - from: json.result.source - to: event.provider - ignore_missing: true - fail_on_error: false - - drop_fields: - fields: json - - decode_xml_wineventlog: - field: event.original - target_field: winlog - ignore_missing: true - ignore_failure: true - map_ecs_fields: true diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs deleted file mode 100755 index 69971ceaf1..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,2 +0,0 @@ -name: Microsoft-Windows-Sysmon/Operational -condition: ${host.platform} == 'windows' diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5b5c93a79b..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1248 +0,0 @@ ---- -description: Pipeline for Windows Sysmon Event Logs -processors: -## ECS and Event fields. - - - set: - field: ecs.version - value: 1.9.0 - - rename: - field: winlog.level - target_field: log.level - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - date: - field: winlog.time_created - target_field: event.created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - date: - field: winlog.event_data.UtcTime - formats: - - yyyy-MM-dd HH:mm:ss.SSS - timezone: UTC - ignore_failure: true - if: ctx?.winlog?.event_data?.UtcTime != null - - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: event.kind - value: event - - set: - field: event.code - value: '{{winlog.event_id}}' - - - script: - description: Set event category and type for all event types. - lang: painless - params: - "1": - category: - - process - type: - - start - "2": - category: - - file - type: - - change - "3": - category: - - network - type: - - start - - connection - - protocol - "4": - category: - - process - type: - - change - "5": - category: - - process - type: - - end - "6": - category: - - driver - type: - - start - "7": - category: - - process - type: - - change - "10": - category: - - process - type: - - access - "11": - category: - - file - type: - - creation - "12": - category: - - configuration - - registry - type: - - change - "13": - category: - - configuration - - registry - type: - - change - "14": - category: - - configuration - - registry - type: - - change - "15": - category: - - file - type: - - access - "16": - category: - - configuration - type: - - change - "17": - category: - - file - type: - - creation - "18": - category: - - file - type: - - access - "22": - category: - - network - type: - - connection - - protocol - - info - "23": - category: - - file - type: - - deletion - "24": - type: - - change - "25": - category: - - process - type: - - change - if: ctx?.event?.code != null - source: |- - def hm = new HashMap(params[ctx.event.code]); - hm.forEach((k, v) -> ctx.event[k] = v); - - convert: - field: winlog.record_id - type: string - ignore_failure: true - ignore_missing: true - - - rename: - field: winlog.event_data.ID - target_field: error.code - ignore_failure: true - ignore_missing: true - if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != "" - - - rename: - field: winlog.event_data.RuleName - target_field: rule.name - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.RuleName != null && ctx?.winlog?.event_data?.RuleName != "" && ctx?.winlog?.event_data?.RuleName != "-" - - - - rename: - field: winlog.event_data.Type - target_field: message - ignore_missing: true - ignore_failure: true - if: ctx.event.code == "25" && ctx?.winlog?.event_data?.Type != null && ctx?.winlog?.event_data?.Type != "" - - - rename: - field: winlog.event_data.Hash - target_field: winlog.event_data.Hashes - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Hash != null && ctx?.winlog?.event_data?.Hash != "" - - kv: - field: winlog.event_data.Hashes - target_field: _temp.hashes - field_split: "," - value_split: "=" - ignore_failure: true - if: ctx?.winlog?.event_data?.Hashes != null - - script: - lang: painless - if: ctx?._temp?.hashes != null - source: |- - def hashIsEmpty(String hash) { - if (hash == "") { - return true; - } - - Pattern emptyHashRegex = /^0*$/; - def matcher = emptyHashRegex.matcher(hash); - - return matcher.matches(); - } - - def hashes = new HashMap(); - def related = [ - "hash": new ArrayList() - ]; - for (entry in ctx._temp.hashes.entrySet()) { - def key = entry.getKey().toString().toLowerCase(); - def value = entry.getValue().toString().toLowerCase(); - - if (hashIsEmpty(value)) { - continue; - } - - hashes[key] = value; - related.hash.add(value); - } - - ctx._temp.hashes = hashes; - if (related.hash.length > 0) { - ctx.related = related; - } - -## Process fields - - - rename: - field: _temp.hashes - target_field: process.hash - if: |- - ctx?._temp?.hashes != null && - ["1", "23", "24", "25"].contains(ctx.event.code) - - rename: - field: process.hash.imphash - target_field: process.pe.imphash - ignore_failure: true - ignore_missing: true - - rename: - field: winlog.event_data.ProcessGuid - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.ProcessGuid != null && ctx?.winlog?.event_data?.ProcessGuid != "" - - convert: - field: winlog.event_data.ProcessId - target_field: process.pid - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ProcessId != null && ctx?.winlog?.event_data?.ProcessId != "" - - rename: - field: winlog.event_data.Image - target_field: process.executable - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Image != null && ctx?.winlog?.event_data?.Image != "" - - rename: - field: winlog.event_data.SourceProcessGuid - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.SourceProcessGuid != null && ctx?.winlog?.event_data?.SourceProcessGuid != "" - - rename: - field: winlog.event_data.SourceProcessGUID - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.SourceProcessGUID != null && ctx?.winlog?.event_data?.SourceProcessGUID != "" - - convert: - field: winlog.event_data.SourceProcessId - target_field: process.pid - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.SourceProcessId != null && ctx?.winlog?.event_data?.SourceProcessId != "" - - convert: - field: winlog.event_data.SourceThreadId - target_field: process.thread.id - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.SourceThreadId != null && ctx?.winlog?.event_data?.SourceThreadId != "" - - rename: - field: winlog.event_data.SourceImage - target_field: process.executable - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.SourceImage != null && ctx?.winlog?.event_data?.SourceImage != "" - - rename: - field: winlog.event_data.Destination - target_field: process.executable - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Destination != null && ctx?.winlog?.event_data?.Destination != "" - - rename: - field: winlog.event_data.CommandLine - target_field: process.command_line - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.CommandLine != null && ctx?.winlog?.event_data?.CommandLine != "" - - rename: - field: winlog.event_data.CurrentDirectory - target_field: process.working_directory - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.CurrentDirectory != null && ctx?.winlog?.event_data?.CurrentDirectory != "" - - rename: - field: winlog.event_data.ParentProcessGuid - target_field: process.parent.entity_id - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.ParentProcessGuid != null && ctx?.winlog?.event_data?.ParentProcessGuid != "" - - convert: - field: winlog.event_data.ParentProcessId - target_field: process.parent.pid - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.ParentProcessId != null && ctx?.winlog?.event_data?.ParentProcessId != "" - - rename: - field: winlog.event_data.ParentImage - target_field: process.parent.executable - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.ParentImage != null && ctx?.winlog?.event_data?.ParentImage != "" - - rename: - field: winlog.event_data.ParentCommandLine - target_field: process.parent.command_line - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.ParentCommandLine != null && ctx?.winlog?.event_data?.ParentCommandLine != "" - - rename: - field: winlog.event_data.OriginalFileName - target_field: process.pe.original_file_name - ignore_missing: true - ignore_failure: true - if: ctx.event.code != "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" - - set: - field: process.pe.company - copy_from: winlog.event_data.Company - ignore_empty_value: true - ignore_failure: true - if: ctx.event.code != "7" - - set: - field: process.pe.description - copy_from: winlog.event_data.Description - ignore_empty_value: true - ignore_failure: true - if: ctx.event.code != "7" - - set: - field: process.pe.file_version - copy_from: winlog.event_data.FileVersion - ignore_empty_value: true - ignore_failure: true - if: ctx.event.code != "7" - - set: - field: process.pe.product - copy_from: winlog.event_data.Product - ignore_empty_value: true - ignore_failure: true - if: ctx.event.code != "7" - - - script: - description: Implements Windows-like SplitCommandLine - lang: painless - if: |- - (ctx?.process?.command_line != null && ctx.process.command_line != "") || - (ctx?.process?.parent?.command_line != null && ctx.process.parent.command_line != "") - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - def cmd = ctx?.process?.command_line; - if (cmd != null && cmd != "") { - ctx.process.args = commandLineToArgv(cmd); - ctx.process.args_count = ctx.process.args.length; - } - - def parentCmd = ctx?.process?.parent?.command_line; - if (parentCmd != null && parentCmd != "") { - ctx.process.parent.args = commandLineToArgv(parentCmd); - ctx.process.parent.args_count = ctx.process.parent.args.length; - } - - - script: - description: Adds process name information. - lang: painless - if: |- - (ctx?.process?.executable != null && ctx.process.executable.length() > 1) || - (ctx?.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) - source: |- - def getProcessName(def path) { - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - return path.substring(idx+1); - } - return ""; - } - - def cmd = ctx?.process?.executable; - if (cmd != null && cmd != "" && ctx?.process?.name == null) { - def name = getProcessName(cmd); - if (name != "") { - ctx.process.name = name; - } - } - - def parentCmd = ctx?.process?.parent?.executable; - if (parentCmd != null && parentCmd != "" && ctx?.process?.parent?.name == null) { - def name = getProcessName(parentCmd); - if (name != "") { - ctx.process.parent.name = name; - } - } - -## File fields - - - rename: - field: _temp.hashes - target_field: file.hash - if: |- - ctx?._temp?.hashes != null && - ["6", "7", "15"].contains(ctx.event.code) - - rename: - field: file.hash.imphash - target_field: file.pe.imphash - ignore_failure: true - ignore_missing: true - - rename: - field: winlog.event_data.TargetFilename - target_field: file.path - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.TargetFilename != null && ctx?.winlog?.event_data?.TargetFilename != "" - - rename: - field: winlog.event_data.Device - target_field: file.path - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Device != null && ctx?.winlog?.event_data?.Device != "" - - rename: - field: winlog.event_data.PipeName - target_field: file.name - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.PipeName != null && ctx?.winlog?.event_data?.PipeName != "" - - rename: - field: winlog.event_data.ImageLoaded - target_field: file.path - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.ImageLoaded != null && ctx?.winlog?.event_data?.ImageLoaded != "" - - set: - field: file.code_signature.subject_name - copy_from: winlog.event_data.Signature - ignore_failure: true - ignore_empty_value: true - - set: - field: file.code_signature.status - copy_from: winlog.event_data.SignatureStatus - ignore_failure: true - ignore_empty_value: true - - rename: - field: winlog.event_data.OriginalFileName - target_field: file.pe.original_file_name - ignore_missing: true - ignore_failure: true - if: ctx.event.code == "7" && ctx?.winlog?.event_data?.OriginalFileName != null && ctx?.winlog?.event_data?.OriginalFileName != "" - - set: - field: file.pe.company - copy_from: winlog.event_data.Company - ignore_failure: true - ignore_empty_value: true - if: ctx.event.code == "7" - - set: - field: file.pe.description - copy_from: winlog.event_data.Description - ignore_failure: true - ignore_empty_value: true - if: ctx.event.code == "7" - - set: - field: file.pe.file_version - copy_from: winlog.event_data.FileVersion - ignore_failure: true - ignore_empty_value: true - if: ctx.event.code == "7" - - set: - field: file.pe.product - copy_from: winlog.event_data.Product - ignore_failure: true - ignore_empty_value: true - if: ctx.event.code == "7" - - set: - field: file.code_signature.signed - value: true - if: ctx?.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true - - set: - field: file.code_signature.valid - value: true - if: ctx?.winlog?.event_data?.SignatureStatus != null && ctx?.winlog?.event_data?.SignatureStatus == "Valid" - - - script: - description: Adds file information. - lang: painless - if: ctx?.file?.path != null && ctx.file.path.length() > 1 - source: |- - def path = ctx.file.path; - def idx = path.lastIndexOf("\\"); - if (idx > -1) { - if (ctx?.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - } - -## Network, Destination, and Source fields - - - rename: - field: winlog.event_data.Protocol - target_field: network.transport - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Protocol != null && ctx?.winlog?.event_data?.Protocol != "" - - rename: - field: winlog.event_data.DestinationPortName - target_field: network.protocol - ignore_missing: true - ignore_failure: true - if: ctx.event.code != "22" && ctx?.winlog?.event_data?.DestinationPortName != null && ctx?.winlog?.event_data?.DestinationPortName != "" - - rename: - field: winlog.event_data.SourcePortName - target_field: network.protocol - ignore_missing: true - ignore_failure: true - if: ctx.event.code != "22" && ctx?.winlog?.event_data?.SourcePortName != null && ctx?.winlog?.event_data?.SourcePortName != "" - - set: - field: network.protocol - value: dns - if: ctx.event.code == "22" - - convert: - field: winlog.event_data.SourceIp - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.SourceIp != null && ctx?.winlog?.event_data?.SourceIp != "" - - rename: - field: winlog.event_data.SourceHostname - target_field: source.domain - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.SourceHostname != null && ctx?.winlog?.event_data?.SourceHostname != "" - - convert: - field: winlog.event_data.SourcePort - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.SourcePort != null && ctx?.winlog?.event_data?.SourcePort != "" - - convert: - field: winlog.event_data.DestinationIp - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DestinationIp != null && ctx?.winlog?.event_data?.DestinationIp != "" - - rename: - field: winlog.event_data.DestinationHostname - target_field: destination.domain - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.DestinationHostname != null && ctx?.winlog?.event_data?.DestinationHostname != "" - - convert: - field: winlog.event_data.DestinationPort - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: ctx?.winlog?.event_data?.DestinationPort != null && ctx?.winlog?.event_data?.DestinationPort != "" - - rename: - field: winlog.event_data.QueryName - target_field: dns.question.name - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.QueryName != null && ctx?.winlog?.event_data?.QueryName != "" - - set: - field: network.direction - value: egress - if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "true" - - set: - field: network.direction - value: ingress - if: ctx?.winlog?.event_data?.Initiated != null && ctx?.winlog?.event_data?.Initiated == "false" - - set: - field: network.type - value: ipv4 - if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "false" - - set: - field: network.type - value: ipv6 - if: ctx?.winlog?.event_data?.SourceIsIpv6 != null && ctx?.winlog?.event_data?.SourceIsIpv6 == "true" - - script: - description: | - Splits the QueryResults field that contains the DNS responses. - Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" - lang: painless - if: ctx?.winlog?.event_data?.QueryResults != null && ctx?.winlog?.event_data?.QueryResults != "" - params: - "1": "A" - "2": "NS" - "3": "MD" - "4": "MF" - "5": "CNAME" - "6": "SOA" - "7": "MB" - "8": "MG" - "9": "MR" - "10": "NULL" - "11": "WKS" - "12": "PTR" - "13": "HINFO" - "14": "MINFO" - "15": "MX" - "16": "TXT" - "17": "RP" - "18": "AFSDB" - "19": "X25" - "20": "ISDN" - "21": "RT" - "22": "NSAP" - "23": "NSAPPTR" - "24": "SIG" - "25": "KEY" - "26": "PX" - "27": "GPOS" - "28": "AAAA" - "29": "LOC" - "30": "NXT" - "31": "EID" - "32": "NIMLOC" - "33": "SRV" - "34": "ATMA" - "35": "NAPTR" - "36": "KX" - "37": "CERT" - "38": "A6" - "39": "DNAME" - "40": "SINK" - "41": "OPT" - "43": "DS" - "46": "RRSIG" - "47": "NSEC" - "48": "DNSKEY" - "49": "DHCID" - "100": "UINFO" - "101": "UID" - "102": "GID" - "103": "UNSPEC" - "248": "ADDRS" - "249": "TKEY" - "250": "TSIG" - "251": "IXFR" - "252": "AXFR" - "253": "MAILB" - "254": "MAILA" - "255": "ANY" - "65281": "WINS" - "65282": "WINSR" - source: |- - def results = /;/.split(ctx.winlog.event_data.QueryResults); - def answers = new ArrayList(); - def ips = new ArrayList(); - def relatedHosts = new ArrayList(); - for (def i = 0; i < results.length; i++) { - def answer = results[i]; - if (answer == "") { - continue; - } - - if (answer.startsWith("type:")) { - def parts = /\s+/.split(answer); - if (parts.length != 3) { - throw new Exception("unexpected QueryResult format"); - } - - answers.add([ - "type": params[parts[1]], - "data": parts[2] - ]); - relatedHosts.add(parts[2]); - } else { - answer = answer.replace("::ffff:", ""); - ips.add(answer); - } - } - - if (answers.length > 0) { - ctx.dns.answers = answers; - } - if (ips.length > 0) { - ctx.dns.resolved_ip = ips; - } - if (relatedHosts.length > 0) { - if (ctx?.related == null) { - ctx.related = new HashMap(); - } - ctx.related.hosts = relatedHosts; - } - - foreach: - field: dns.resolved_ip - ignore_missing: true - processor: - convert: - field: _ingest._value - type: ip - on_failure: - - remove: - field: _ingest._value - - script: - description: Convert V4MAPPED addresses. - lang: painless - if: ctx?.dns?.resolved_ip != null - source: |- - if (ctx.dns.answers == null) { - ctx.dns.answers = new ArrayList(); - } - for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { - def ip = ctx.dns.resolved_ip[i]; - if (ip == null) { - ctx.dns.resolved_ip.remove(i); - continue; - } - - // Synthesize record type based on IP address type. - def type = "A"; - if (ip.indexOf(":") != -1) { - type = "AAAA"; - } - ctx.dns.answers.add([ - "type": type, - "data": ip - ]); - } - - registered_domain: - field: dns.question.name - target_field: dns.question - ignore_failure: true - ignore_missing: true - - append: - field: related.hosts - value: "{{dns.question.name}}" - allow_duplicates: false - if: ctx?.dns?.question?.name != null && ctx?.dns?.question?.name != "" - - remove: - description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. - field: dns.question.domain - ignore_missing: true - ignore_failure: true - - foreach: - field: dns.resolved_ip - ignore_missing: true - processor: - append: - field: related.ip - value: _ingest._value - allow_duplicates: false - - community_id: - ignore_failure: true - ignore_missing: false - -## User fields - - - set: - field: user.id - copy_from: winlog.user.identifier - ignore_empty_value: true - ignore_failure: true - - split: - field: winlog.event_data.User - target_field: "_temp.user_parts" - separator: '\\' - if: ctx?.winlog?.event_data?.User != null - - set: - field: user.domain - value: "{{_temp.user_parts.0}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.name - value: "{{_temp.user_parts.1}}" - ignore_failure: true - ignore_empty_value: true - if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - -## Sysmon fields - - - rename: - field: winlog.event_data.QueryStatus - target_field: sysmon.dns.status - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.QueryStatus != null && ctx?.winlog?.event_data?.QueryStatus != "" - - script: - description: Translate DNS Query status. - lang: painless - params: - "5": "ERROR_ACCESS_DENIED" - "0": "SUCCESS" - "8": "ERROR_NOT_ENOUGH_MEMORY" - "13": "ERROR_INVALID_DATA" - "14": "ERROR_OUTOFMEMORY" - "123": "ERROR_INVALID_NAME" - "1214": "ERROR_INVALID_NETNAME" - "1223": "ERROR_CANCELLED" - "1460": "ERROR_TIMEOUT" - "4312": "ERROR_OBJECT_NOT_FOUND" - "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" - "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" - "9003": "DNS_ERROR_RCODE_NAME_ERROR" - "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" - "9005": "DNS_ERROR_RCODE_REFUSED" - "9006": "DNS_ERROR_RCODE_YXDOMAIN" - "9007": "DNS_ERROR_RCODE_YXRRSET" - "9008": "DNS_ERROR_RCODE_NXRRSET" - "9009": "DNS_ERROR_RCODE_NOTAUTH" - "9010": "DNS_ERROR_RCODE_NOTZONE" - "9016": "DNS_ERROR_RCODE_BADSIG" - "9017": "DNS_ERROR_RCODE_BADKEY" - "9018": "DNS_ERROR_RCODE_BADTIME" - "9101": "DNS_ERROR_KEYMASTER_REQUIRED" - "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" - "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" - "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" - "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" - "9106": "DNS_ERROR_INVALID_KEY_SIZE" - "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" - "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" - "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" - "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" - "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" - "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" - "9113": "DNS_ERROR_TOO_MANY_SKDS" - "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" - "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" - "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" - "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" - "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" - "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" - "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" - "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" - "9122": "DNS_ERROR_BAD_KEYMASTER" - "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" - "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" - "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" - "9126": "DNS_ERROR_INVALID_XML" - "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" - "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" - "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" - "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" - "9501": "DNS_INFO_NO_RECORDS" - "9502": "DNS_ERROR_BAD_PACKET" - "9503": "DNS_ERROR_NO_PACKET" - "9504": "DNS_ERROR_RCODE" - "9505": "DNS_ERROR_UNSECURE_PACKET" - "9506": "DNS_REQUEST_PENDING" - "9551": "DNS_ERROR_INVALID_TYPE" - "9552": "DNS_ERROR_INVALID_IP_ADDRESS" - "9553": "DNS_ERROR_INVALID_PROPERTY" - "9554": "DNS_ERROR_TRY_AGAIN_LATER" - "9555": "DNS_ERROR_NOT_UNIQUE" - "9556": "DNS_ERROR_NON_RFC_NAME" - "9557": "DNS_STATUS_FQDN" - "9558": "DNS_STATUS_DOTTED_NAME" - "9559": "DNS_STATUS_SINGLE_PART_NAME" - "9560": "DNS_ERROR_INVALID_NAME_CHAR" - "9561": "DNS_ERROR_NUMERIC_NAME" - "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" - "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" - "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" - "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" - "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" - "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" - "9568": "DNS_ERROR_BACKGROUND_LOADING" - "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" - "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" - "9571": "DNS_ERROR_DELEGATION_REQUIRED" - "9572": "DNS_ERROR_INVALID_POLICY_TABLE" - "9573": "DNS_ERROR_ADDRESS_REQUIRED" - "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" - "9602": "DNS_ERROR_NO_ZONE_INFO" - "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" - "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" - "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" - "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" - "9607": "DNS_ERROR_ZONE_LOCKED" - "9608": "DNS_ERROR_ZONE_CREATION_FAILED" - "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" - "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" - "9611": "DNS_ERROR_INVALID_ZONE_TYPE" - "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" - "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" - "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" - "9615": "DNS_ERROR_WINS_INIT_FAILED" - "9616": "DNS_ERROR_NEED_WINS_SERVERS" - "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" - "9618": "DNS_ERROR_SOA_DELETE_INVALID" - "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" - "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" - "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" - "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" - "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" - "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" - "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" - "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" - "9655": "DNS_ERROR_DATAFILE_PARSING" - "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - "9702": "DNS_ERROR_RECORD_FORMAT" - "9703": "DNS_ERROR_NODE_CREATION_FAILED" - "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" - "9705": "DNS_ERROR_RECORD_TIMED_OUT" - "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" - "9707": "DNS_ERROR_CNAME_LOOP" - "9708": "DNS_ERROR_NODE_IS_CNAME" - "9709": "DNS_ERROR_CNAME_COLLISION" - "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" - "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" - "9712": "DNS_ERROR_SECONDARY_DATA" - "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" - "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" - "9715": "DNS_WARNING_PTR_CREATE_FAILED" - "9716": "DNS_WARNING_DOMAIN_UNDELETED" - "9717": "DNS_ERROR_DS_UNAVAILABLE" - "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" - "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" - "9720": "DNS_ERROR_NODE_IS_DNAME" - "9721": "DNS_ERROR_DNAME_COLLISION" - "9722": "DNS_ERROR_ALIAS_LOOP" - "9751": "DNS_INFO_AXFR_COMPLETE" - "9752": "DNS_ERROR_AXFR" - "9753": "DNS_INFO_ADDED_LOCAL_WINS" - "9801": "DNS_STATUS_CONTINUE_NEEDED" - "9851": "DNS_ERROR_NO_TCPIP" - "9852": "DNS_ERROR_NO_DNS_SERVERS" - "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" - "9902": "DNS_ERROR_DP_ALREADY_EXISTS" - "9903": "DNS_ERROR_DP_NOT_ENLISTED" - "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" - "9905": "DNS_ERROR_DP_NOT_AVAILABLE" - "9906": "DNS_ERROR_DP_FSMO_ERROR" - "9911": "DNS_ERROR_RRL_NOT_ENABLED" - "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" - "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" - "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" - "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" - "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" - "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" - "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" - "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" - "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" - "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" - "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" - "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" - "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" - "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" - "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" - "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" - "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" - "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" - "9958": "DNS_ERROR_INVALID_SCOPE_NAME" - "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" - "9960": "DNS_ERROR_DEFAULT_SCOPE" - "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" - "9962": "DNS_ERROR_SCOPE_LOCKED" - "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" - "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" - "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" - "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" - "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" - "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" - "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" - "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" - "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" - "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" - "9980": "DNS_ERROR_POLICY_LOCKED" - "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" - "9982": "DNS_ERROR_POLICY_INVALID_NAME" - "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" - "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" - "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" - "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" - "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" - "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" - "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" - "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" - "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" - "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" - "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" - "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" - "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" - "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" - "10054": "WSAECONNRESET" - "10055": "WSAENOBUFS" - "10060": "WSAETIMEDOUT" - if: ctx?.sysmon?.dns?.status != null && ctx?.sysmon?.dns?.status != "" - source: |- - def status = params[ctx.sysmon.dns.status]; - if (status != null) { - ctx.sysmon.dns.status = status; - } - - convert: - field: winlog.event_data.Archived - target_field: sysmon.file.archived - type: boolean - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.Archived != null && ctx?.winlog?.event_data?.Archived != "" - - convert: - field: winlog.event_data.IsExecutable - target_field: sysmon.file.is_executable - type: boolean - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data?.IsExecutable != null && ctx?.winlog?.event_data?.IsExecutable != "" - -## Related fields - - - append: - field: related.user - value: "{{user.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.user?.name != null && ctx.user.name != "" - - append: - field: related.ip - value: "{{source.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.ip != null && ctx.source.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx.destination.ip != "" - -## Registry fields - - - script: - description: Set registry fields. - lang: painless - if: |- - ctx?.winlog?.event_data?.TargetObject != null && ctx?.winlog?.event_data?.TargetObject != "" && - ["12", "13", "14"].contains(ctx.event.code) - params: - HKEY_CLASSES_ROOT: "HKCR" - HKCR: "HKCR" - HKEY_CURRENT_CONFIG: "HKCC" - HKCC: "HKCC" - HKEY_CURRENT_USER: "HKCU" - HKCU: "HKCU" - HKEY_DYN_DATA: "HKDD" - HKDD: "HKDD" - HKEY_LOCAL_MACHINE: "HKLM" - HKLM: "HKLM" - HKEY_PERFORMANCE_DATA: "HKPD" - HKPD: "HKPD" - HKEY_USERS: "HKU" - HKU: "HKU" - source: |- - ctx.registry = new HashMap(); - Pattern qwordRegex = /(?i)QWORD \(((0x\d{8})-(0x\d{8}))\)/; - Pattern dwordRegex = /(?i)DWORD \((0x\d{8})\)/; - - def path = ctx.winlog.event_data.TargetObject; - ctx.registry.path = path; - - def pathTokens = Arrays.asList(/\\/.split(path)); - def hive = params[pathTokens[0]]; - if (hive != null) { - ctx.registry.hive = hive; - if (pathTokens.length > 1) { - ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); - } - } - - def value = pathTokens[pathTokens.length - 1]; - ctx.registry.value = value; - - def data = ctx?.winlog?.event_data?.Details; - if (data != null && data != "") { - def prefixLen = 2; // to remove 0x prefix - def dataValue = ""; - def dataType = ""; - def matcher = qwordRegex.matcher(data); - if (matcher.matches()) { - def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); - def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); - if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { - dataType = "SZ_QWORD"; - dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); - } - } else { - matcher = dwordRegex.matcher(data); - if (matcher.matches()) { - def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); - if (!Double.isNaN(parsedValue)) { - dataType = "SZ_DWORD"; - dataValue = matcher.group(1); - } - } - } - - if (dataType != "") { - ctx.registry.data = [ - "strings": [dataValue], - "type": dataType - ]; - } - } - -## Cleanup - - - remove: - field: - - _temp - - winlog.event_data.ProcessId - - winlog.event_data.ParentProcessId - - winlog.event_data.SourceProcessId - - winlog.event_data.SourceThreadId - - winlog.event_data.SourceIp - - winlog.event_data.SourcePort - - winlog.event_data.SourcePortName - - winlog.event_data.DestinationIp - - winlog.event_data.DestinationPort - - winlog.event_data.DestinationPortName - - winlog.event_data.RuleName - - winlog.event_data.User - - winlog.event_data.Initiated - - winlog.event_data.SourceIsIpv6 - - winlog.event_data.DestinationIsIpv6 - - winlog.event_data.QueryStatus - - winlog.event_data.Archived - - winlog.event_data.IsExecutable - - winlog.event_data.QueryResults - - winlog.event_data.UtcTime - - winlog.event_data.Hash - - winlog.event_data.Hashes - - winlog.event_data.TargetObject - - winlog.event_data.Details - - winlog.time_created - - winlog.level - ignore_failure: true - ignore_missing: true - - script: - description: Remove all empty values from event_data. - lang: painless - source: ctx?.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-")); - - remove: - description: Remove empty event data. - field: winlog.event_data - ignore_missing: true - ignore_failure: true - if: ctx?.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/fields/base-fields.yml deleted file mode 100755 index a9a65458fc..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: dataset.type - type: constant_keyword - description: Dataset type. -- name: dataset.name - type: constant_keyword - description: Dataset name. -- name: dataset.namespace - type: constant_keyword - description: Dataset namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/fields/ecs.yml deleted file mode 100755 index aa0eaf261f..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/ecs.yml +++ /dev/null @@ -1,554 +0,0 @@ -- name: message - type: text - description: 'For log events the message field contains the log message, optimized for viewing in a log viewer.' -- name: ecs.version - type: keyword - description: ECS version -- name: error - title: Error - type: group - fields: - - name: code - type: keyword - ignore_above: 1024 - description: Error code describing the error. - - name: message - type: text - description: Error message. -- name: event - title: Event - type: group - fields: - - name: action - type: keyword - ignore_above: 1024 - description: 'The action captured by the event.' - - name: category - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.' - - name: code - type: keyword - ignore_above: 1024 - description: 'Identification code for this event, if one exists.' - - name: created - type: date - description: 'event.created contains the date/time when the event was first read by an agent, or by your pipeline.' - - name: ingested - type: date - description: 'Timestamp when an event arrived in the central data store.' - - name: kind - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.' - - name: module - type: keyword - ignore_above: 1024 - description: 'Name of the module this data is coming from.' - - name: outcome - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.' - - name: provider - type: keyword - ignore_above: 1024 - description: 'Source of the event.' - - name: sequence - type: long - format: string - description: 'Sequence number of the event.' - - name: type - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.' -- name: file - title: File - type: group - fields: - - name: code_signature.exists - type: boolean - description: Boolean to capture if a signature is present. - - name: code_signature.status - type: keyword - ignore_above: 1024 - description: 'Additional information about the certificate status.' - - name: code_signature.subject_name - type: keyword - ignore_above: 1024 - description: Subject name of the code signer - - name: code_signature.trusted - type: boolean - description: 'Stores the trust status of the certificate chain.' - - name: code_signature.valid - type: boolean - description: 'Boolean to capture if the digital signature is verified against the binary content.' - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - description: Name of the file including the extension, without the directory. - name: name - type: keyword - - name: directory - type: keyword - ignore_above: 1024 - description: Directory where the file is located. It should include the drive letter, when appropriate. - - name: extension - type: keyword - ignore_above: 1024 - description: 'File extension, excluding the leading dot.' - - name: path - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - - name: pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - - name: pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - - name: pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - - name: pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - - name: pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - - name: pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - - name: pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. -- name: host - title: Host - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the host.' -- name: log - title: Log - type: group - fields: - - name: level - type: keyword - ignore_above: 1024 - description: 'Original log level of the log event.' -- name: process - title: Process - type: group - fields: - - name: args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: args_count - type: long - description: 'Length of the process.args array.' - - name: command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - - name: entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - - name: executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - - name: hash.md5 - type: keyword - ignore_above: 1024 - description: MD5 hash. - - name: hash.sha1 - type: keyword - ignore_above: 1024 - description: SHA1 hash. - - name: hash.sha256 - type: keyword - ignore_above: 1024 - description: SHA256 hash. - - name: hash.sha512 - type: keyword - ignore_above: 1024 - description: SHA512 hash. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - - name: parent.args - type: keyword - ignore_above: 1024 - description: 'Array of process arguments, starting with the absolute path to the executable.' - - name: parent.args_count - type: long - description: 'Length of the process.args array.' - - name: parent.command_line - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Full command line that started the process, including the absolute path to the executable, and all arguments.' - - name: parent.entity_id - type: keyword - ignore_above: 1024 - description: 'Unique identifier for the process.' - - name: parent.executable - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Absolute path to the process executable. - - name: parent.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process name.' - - name: parent.pid - type: long - format: string - description: Process id. - - name: pe.architecture - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - - name: pe.company - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - - name: pe.description - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - - name: pe.file_version - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - - name: pe.imphash - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file.' - - name: pe.original_file_name - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - - name: pe.product - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - - name: pid - type: long - format: string - description: Process id. - - name: title - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Process title. - - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' - - name: working_directory - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: The working directory of the process. -- name: user - title: User - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - - name: name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - - name: target.group.domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: target.group.id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: target.group.name - type: keyword - ignore_above: 1024 - description: Name of the group. - - name: target.name - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. -- name: group - title: Group - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of.' - - name: id - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - - name: name - type: keyword - ignore_above: 1024 - description: Name of the group. -- name: service - title: Service - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: 'Name of the service data is collected from.' - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of the service data is collected from.' -- name: source - title: Source - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: Source domain. - - name: ip - type: ip - description: IP address of the source (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the source. -- name: destination - title: Destination - type: group - fields: - - name: domain - type: keyword - ignore_above: 1024 - description: Destination domain. - - name: ip - type: ip - description: IP address of the destination (IPv4 or IPv6). - - name: port - type: long - format: string - description: Port of the destination. -- name: related - title: Related - type: group - fields: - - name: hash - type: keyword - ignore_above: 1024 - - name: hosts - type: keyword - ignore_above: 1024 - - name: ip - type: ip - - name: user - type: keyword - ignore_above: 1024 -- name: dns - title: DNS - group: 2 - type: group - fields: - - name: answers - type: object - description: 'An array containing an object for each answer section returned by the server.' - - name: answers.class - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - - name: answers.data - type: keyword - ignore_above: 1024 - description: 'The data describing the resource.' - - name: answers.name - type: keyword - ignore_above: 1024 - description: 'The domain name to which this resource record pertains.' - - name: answers.ttl - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - name: answers.type - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - - name: header_flags - type: keyword - ignore_above: 1024 - description: 'Array of 2 letter DNS header flags.' - - name: id - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: op_code - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - - name: question.class - type: keyword - ignore_above: 1024 - description: The class of records being queried. - - name: question.name - type: keyword - ignore_above: 1024 - description: 'The name being queried.' - - name: question.registered_domain - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain.' - - name: question.subdomain - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain.' - - name: question.top_level_domain - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".' - - name: question.type - type: keyword - ignore_above: 1024 - description: The type of record being queried. - - name: resolved_ip - type: ip - description: 'Array containing all IPs seen in `answers.data`.' - - name: response_code - type: keyword - ignore_above: 1024 - description: The DNS response code. - - name: type - type: keyword - ignore_above: 1024 - description: 'The type of DNS event captured, query or answer.' -- name: network - title: Network - type: group - fields: - - name: community_id - type: keyword - ignore_above: 1024 - description: 'A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.' - - name: direction - type: keyword - ignore_above: 1024 - description: "Direction of the network traffic." - - name: protocol - type: keyword - ignore_above: 1024 - description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.' - - name: transport - type: keyword - ignore_above: 1024 - description: 'Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)' - - name: type - type: keyword - ignore_above: 1024 - description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc' -- name: registry - title: Registry - type: group - fields: - - name: data.strings - type: keyword - ignore_above: 1024 - description: 'Content when writing string types.' - - name: data.type - type: keyword - ignore_above: 1024 - description: Standard registry type for encoding contents - - name: hive - type: keyword - ignore_above: 1024 - description: Abbreviated name for the hive. - - name: key - type: keyword - ignore_above: 1024 - description: Hive-relative path of keys. - - name: path - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value Options\winword.exe\Debugger - - name: value - type: keyword - ignore_above: 1024 - description: Name of the value written. -- name: rule - title: Rule - type: group - fields: - - name: name - type: keyword - ignore_above: 1024 - description: The name of the rule or signature generating the event. diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/fields.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/fields/fields.yml deleted file mode 100755 index fe766a8460..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: sysmon.dns.status - type: keyword - description: Windows status code returned for the DNS query. -- name: sysmon.file.archived - type: boolean - description: Indicates if the deleted file was archived. -- name: sysmon.file.is_executable - type: boolean - description: Indicates if the deleted file was an executable. diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/winlog.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/fields/winlog.yml deleted file mode 100755 index 85152cf774..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/fields/winlog.yml +++ /dev/null @@ -1,371 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: AuthenticationPackageName - type: keyword - - name: Binary - type: keyword - - name: BitlockerUserInputTime - type: keyword - - name: BootMode - type: keyword - - name: BootType - type: keyword - - name: BuildVersion - type: keyword - - name: ClientInfo - type: keyword - - name: Company - type: keyword - - name: Configuration - type: keyword - - name: CorruptionActionState - type: keyword - - name: CreationUtcTime - type: keyword - - name: Description - type: keyword - - name: Detail - type: keyword - - name: DeviceName - type: keyword - - name: DeviceNameLength - type: keyword - - name: DeviceTime - type: keyword - - name: DeviceVersionMajor - type: keyword - - name: DeviceVersionMinor - type: keyword - - name: DriveName - type: keyword - - name: DriverName - type: keyword - - name: DriverNameLength - type: keyword - - name: DwordVal - type: keyword - - name: EntryCount - type: keyword - - name: EventType - type: keyword - - name: ExtraInfo - type: keyword - - name: FailureName - type: keyword - - name: FailureNameLength - type: keyword - - name: FileVersion - type: keyword - - name: FinalStatus - type: keyword - - name: Group - type: keyword - - name: IdleImplementation - type: keyword - - name: IdleStateCount - type: keyword - - name: ImpersonationLevel - type: keyword - - name: IntegrityLevel - type: keyword - - name: IpAddress - type: keyword - - name: IpPort - type: keyword - - name: KeyLength - type: keyword - - name: LastBootGood - type: keyword - - name: LastShutdownGood - type: keyword - - name: LmPackageName - type: keyword - - name: LogonGuid - type: keyword - - name: LogonId - type: keyword - - name: LogonProcessName - type: keyword - - name: LogonType - type: keyword - - name: MajorVersion - type: keyword - - name: MaximumPerformancePercent - type: keyword - - name: MemberName - type: keyword - - name: MemberSid - type: keyword - - name: MinimumPerformancePercent - type: keyword - - name: MinimumThrottlePercent - type: keyword - - name: MinorVersion - type: keyword - - name: NewProcessId - type: keyword - - name: NewProcessName - type: keyword - - name: NewSchemeGuid - type: keyword - - name: NewTime - type: keyword - - name: NominalFrequency - type: keyword - - name: Number - type: keyword - - name: OldSchemeGuid - type: keyword - - name: OldTime - type: keyword - - name: OriginalFileName - type: keyword - - name: Path - type: keyword - - name: PerformanceImplementation - type: keyword - - name: PreviousCreationUtcTime - type: keyword - - name: PreviousTime - type: keyword - - name: PrivilegeList - type: keyword - - name: ProcessId - type: keyword - - name: ProcessName - type: keyword - - name: ProcessPath - type: keyword - - name: ProcessPid - type: keyword - - name: Product - type: keyword - - name: PuaCount - type: keyword - - name: PuaPolicyId - type: keyword - - name: QfeVersion - type: keyword - - name: Reason - type: keyword - - name: SchemaVersion - type: keyword - - name: ScriptBlockText - type: keyword - - name: ServiceName - type: keyword - - name: ServiceVersion - type: keyword - - name: Session - type: keyword - - name: ShutdownActionType - type: keyword - - name: ShutdownEventCode - type: keyword - - name: ShutdownReason - type: keyword - - name: Signature - type: keyword - - name: SignatureStatus - type: keyword - - name: Signed - type: keyword - - name: StartTime - type: keyword - - name: State - type: keyword - - name: Status - type: keyword - - name: StopTime - type: keyword - - name: SubjectDomainName - type: keyword - - name: SubjectLogonId - type: keyword - - name: SubjectUserName - type: keyword - - name: SubjectUserSid - type: keyword - - name: TSId - type: keyword - - name: TargetDomainName - type: keyword - - name: TargetInfo - type: keyword - - name: TargetLogonGuid - type: keyword - - name: TargetLogonId - type: keyword - - name: TargetServerName - type: keyword - - name: TargetUserName - type: keyword - - name: TargetUserSid - type: keyword - - name: TerminalSessionId - type: keyword - - name: TokenElevationType - type: keyword - - name: TransmittedServices - type: keyword - - name: Type - type: keyword - - name: UserSid - type: keyword - - name: Version - type: keyword - - name: Workstation - type: keyword - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/windows/0.7.0/data_stream/sysmon_operational/manifest.yml b/packages/windows/0.7.0/data_stream/sysmon_operational/manifest.yml deleted file mode 100755 index c88fb5c7a3..0000000000 --- a/packages/windows/0.7.0/data_stream/sysmon_operational/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Windows Sysmon/Operational events -release: experimental -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Sysmon Operational - description: 'Collect Microsoft-Windows-Sysmon/Operational channel logs' - - input: httpjson - title: Windows Sysmon Operational Events via Splunk Enterprise REST API - description: Collect Sysmon Operational Events via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: false - required: true - default: "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/windows/0.7.0/docs/README.md b/packages/windows/0.7.0/docs/README.md deleted file mode 100755 index 9ea5c9b1cb..0000000000 --- a/packages/windows/0.7.0/docs/README.md +++ /dev/null @@ -1,1211 +0,0 @@ -# Windows Integration - -The Windows package allows you to monitor the Windows os, services, applications etc. Because the Windows integration -always applies to the local server, the `hosts` config option is not needed. Note that for 7.11, `security`, `application` and `system` logs have been moved to the system package. - -## Compatibility - -The Windows datasets collect different kinds of metric data, which may require dedicated permissions -to be fetched and which may vary across operating systems. - -## Configuration - -### Splunk Enterprise - -To configure Splunk Enterprise to be able to pull events from it, please visit -[Splunk docs](https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata) for details. **The integration requires events in XML format, for this `renderXml` option needs to be set to `1` in your `inputs.conf`.** - -## Metrics - -### Service - -The Windows `service` dataset provides service details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| windows.service.display_name | The display name of the service. | keyword | -| windows.service.exit_code | For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. | keyword | -| windows.service.id | A unique ID for the service. It is a hash of the machine's GUID and the service name. | keyword | -| windows.service.name | The service name. | keyword | -| windows.service.path_name | Fully qualified path to the file that implements the service, including arguments. | keyword | -| windows.service.pid | For `Running` services this is the associated process PID. | long | -| windows.service.start_name | Account name under which a service runs. | keyword | -| windows.service.start_type | The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. | keyword | -| windows.service.state | The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. | keyword | -| windows.service.uptime.ms | The service's uptime specified in milliseconds. | long | - - - -### Perfmon - -The Windows `perfmon` dataset provides performance counter values. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| windows.perfmon.instance | Instance value. | keyword | -| windows.perfmon.metrics.*.* | Metric values returned. | object | -| windows.perfmon.object | Object value. | keyword | - - - -Both datasets are available on Windows only. - -## Logs - -### Forwarded - -The Windows `forwarded` dataset provides events from the Windows -`ForwardedEvents` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| dns.answers | An array containing an object for each answer section returned by the server. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. | keyword | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.parent.args_count | Length of the process.args array. | long | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.parent.entity_id | Unique identifier for the process. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha512 | SHA512 hash. | keyword | -| process.parent.name | Process name. | keyword | -| process.parent.pe.architecture | CPU architecture target for the file. | keyword | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.title | Process title. | keyword | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.working_directory | The working directory of the process. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | -| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | -| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.logon.failure.reason | The reason the logon failed. | keyword | -| winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal `Status` field. | keyword | -| winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal `SubStatus` field. | keyword | -| winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword | -| winlog.logon.type | Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - - -### Powershell - -The Windows `powershell` dataset provides events from the Windows -`Windows PowerShell` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| ecs.version | ECS version | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| source.user.domain | Name of the directory the user is a member of. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Powershell/Operational - -The Windows `powershell_operational` dataset provides events from the Windows -`Microsoft-Windows-PowerShell/Operational` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| ecs.version | ECS version | keyword | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array | -| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword | -| powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword | -| powershell.command.invocation_details.type | The type of detail. | keyword | -| powershell.command.invocation_details.value | The value of the detail. The meaning of it will depend on the detail type. | text | -| powershell.command.name | Name of the executed command. | keyword | -| powershell.command.path | Path of the executed command. | keyword | -| powershell.command.type | Type of the executed command. | keyword | -| powershell.command.value | The invoked command. | text | -| powershell.connected_user.domain | User domain. | keyword | -| powershell.connected_user.name | User name. | keyword | -| powershell.engine.new_state | New state of the PowerShell engine. | keyword | -| powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | -| powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | -| powershell.file.script_block_id | Id of the executed script block. | keyword | -| powershell.file.script_block_text | Text of the executed script block. | text | -| powershell.id | Shell Id. | keyword | -| powershell.pipeline_id | Pipeline id. | keyword | -| powershell.process.executable_version | Version of the engine hosting process executable. | keyword | -| powershell.provider.name | Provider name. | keyword | -| powershell.provider.new_state | New state of the PowerShell provider. | keyword | -| powershell.runspace_id | Runspace id. | keyword | -| powershell.sequence | Sequence number of the powershell execution. | long | -| powershell.total | Total number of messages in the sequence. | long | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.name | Process name. | keyword | -| process.pid | Process PID. | long | -| process.title | Process title. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| source.user.domain | Name of the directory the user is a member of. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -### Sysmon/Operational - -The Windows `sysmon_operational` dataset provides events from the Windows -`Microsoft-Windows-Sysmon/Operational` event log. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dataset.name | Dataset name. | constant_keyword | -| dataset.namespace | Dataset namespace. | constant_keyword | -| dataset.type | Dataset type. | constant_keyword | -| destination.domain | Destination domain. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. | keyword | -| ecs.version | ECS version | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword | -| event.code | Identification code for this event, if one exists. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. | date | -| event.ingested | Timestamp when an event arrived in the central data store. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. | keyword | -| event.module | Name of the module this data is coming from. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword | -| event.provider | Source of the event. | keyword | -| event.sequence | Sequence number of the event. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.code_signature.trusted | Stores the trust status of the certificate chain. | boolean | -| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. | boolean | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.description | Internal description of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.imphash | A hash of the imports in a PE file. | keyword | -| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| group.domain | Name of the directory the group is a member of. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| log.level | Original log level of the log event. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. | text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. | keyword | -| network.direction | Direction of the network traffic. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.args_count | Length of the process.args array. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.entity_id | Unique identifier for the process. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. | keyword | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. | keyword | -| process.parent.args_count | Length of the process.args array. | long | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. | keyword | -| process.parent.entity_id | Unique identifier for the process. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.name | Process name. | keyword | -| process.parent.pid | Process id. | long | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.working_directory | The working directory of the process. | keyword | -| registry.data.strings | Content when writing string types. | keyword | -| registry.data.type | Standard registry type for encoding contents | keyword | -| registry.hive | Abbreviated name for the hive. | keyword | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value Options\winword.exe\Debugger | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | | keyword | -| related.hosts | | keyword | -| related.ip | | ip | -| related.user | | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| service.name | Name of the service data is collected from. | keyword | -| service.type | The type of the service data is collected from. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| sysmon.dns.status | Windows status code returned for the DNS query. | keyword | -| sysmon.file.archived | Indicates if the deleted file was archived. | boolean | -| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean | -| user.domain | Name of the directory the user is a member of. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.AuthenticationPackageName | | keyword | -| winlog.event_data.Binary | | keyword | -| winlog.event_data.BitlockerUserInputTime | | keyword | -| winlog.event_data.BootMode | | keyword | -| winlog.event_data.BootType | | keyword | -| winlog.event_data.BuildVersion | | keyword | -| winlog.event_data.ClientInfo | | keyword | -| winlog.event_data.Company | | keyword | -| winlog.event_data.Configuration | | keyword | -| winlog.event_data.CorruptionActionState | | keyword | -| winlog.event_data.CreationUtcTime | | keyword | -| winlog.event_data.Description | | keyword | -| winlog.event_data.Detail | | keyword | -| winlog.event_data.DeviceName | | keyword | -| winlog.event_data.DeviceNameLength | | keyword | -| winlog.event_data.DeviceTime | | keyword | -| winlog.event_data.DeviceVersionMajor | | keyword | -| winlog.event_data.DeviceVersionMinor | | keyword | -| winlog.event_data.DriveName | | keyword | -| winlog.event_data.DriverName | | keyword | -| winlog.event_data.DriverNameLength | | keyword | -| winlog.event_data.DwordVal | | keyword | -| winlog.event_data.EntryCount | | keyword | -| winlog.event_data.EventType | | keyword | -| winlog.event_data.ExtraInfo | | keyword | -| winlog.event_data.FailureName | | keyword | -| winlog.event_data.FailureNameLength | | keyword | -| winlog.event_data.FileVersion | | keyword | -| winlog.event_data.FinalStatus | | keyword | -| winlog.event_data.Group | | keyword | -| winlog.event_data.IdleImplementation | | keyword | -| winlog.event_data.IdleStateCount | | keyword | -| winlog.event_data.ImpersonationLevel | | keyword | -| winlog.event_data.IntegrityLevel | | keyword | -| winlog.event_data.IpAddress | | keyword | -| winlog.event_data.IpPort | | keyword | -| winlog.event_data.KeyLength | | keyword | -| winlog.event_data.LastBootGood | | keyword | -| winlog.event_data.LastShutdownGood | | keyword | -| winlog.event_data.LmPackageName | | keyword | -| winlog.event_data.LogonGuid | | keyword | -| winlog.event_data.LogonId | | keyword | -| winlog.event_data.LogonProcessName | | keyword | -| winlog.event_data.LogonType | | keyword | -| winlog.event_data.MajorVersion | | keyword | -| winlog.event_data.MaximumPerformancePercent | | keyword | -| winlog.event_data.MemberName | | keyword | -| winlog.event_data.MemberSid | | keyword | -| winlog.event_data.MinimumPerformancePercent | | keyword | -| winlog.event_data.MinimumThrottlePercent | | keyword | -| winlog.event_data.MinorVersion | | keyword | -| winlog.event_data.NewProcessId | | keyword | -| winlog.event_data.NewProcessName | | keyword | -| winlog.event_data.NewSchemeGuid | | keyword | -| winlog.event_data.NewTime | | keyword | -| winlog.event_data.NominalFrequency | | keyword | -| winlog.event_data.Number | | keyword | -| winlog.event_data.OldSchemeGuid | | keyword | -| winlog.event_data.OldTime | | keyword | -| winlog.event_data.OriginalFileName | | keyword | -| winlog.event_data.Path | | keyword | -| winlog.event_data.PerformanceImplementation | | keyword | -| winlog.event_data.PreviousCreationUtcTime | | keyword | -| winlog.event_data.PreviousTime | | keyword | -| winlog.event_data.PrivilegeList | | keyword | -| winlog.event_data.ProcessId | | keyword | -| winlog.event_data.ProcessName | | keyword | -| winlog.event_data.ProcessPath | | keyword | -| winlog.event_data.ProcessPid | | keyword | -| winlog.event_data.Product | | keyword | -| winlog.event_data.PuaCount | | keyword | -| winlog.event_data.PuaPolicyId | | keyword | -| winlog.event_data.QfeVersion | | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.SchemaVersion | | keyword | -| winlog.event_data.ScriptBlockText | | keyword | -| winlog.event_data.ServiceName | | keyword | -| winlog.event_data.ServiceVersion | | keyword | -| winlog.event_data.Session | | keyword | -| winlog.event_data.ShutdownActionType | | keyword | -| winlog.event_data.ShutdownEventCode | | keyword | -| winlog.event_data.ShutdownReason | | keyword | -| winlog.event_data.Signature | | keyword | -| winlog.event_data.SignatureStatus | | keyword | -| winlog.event_data.Signed | | keyword | -| winlog.event_data.StartTime | | keyword | -| winlog.event_data.State | | keyword | -| winlog.event_data.Status | | keyword | -| winlog.event_data.StopTime | | keyword | -| winlog.event_data.SubjectDomainName | | keyword | -| winlog.event_data.SubjectLogonId | | keyword | -| winlog.event_data.SubjectUserName | | keyword | -| winlog.event_data.SubjectUserSid | | keyword | -| winlog.event_data.TSId | | keyword | -| winlog.event_data.TargetDomainName | | keyword | -| winlog.event_data.TargetInfo | | keyword | -| winlog.event_data.TargetLogonGuid | | keyword | -| winlog.event_data.TargetLogonId | | keyword | -| winlog.event_data.TargetServerName | | keyword | -| winlog.event_data.TargetUserName | | keyword | -| winlog.event_data.TargetUserSid | | keyword | -| winlog.event_data.TerminalSessionId | | keyword | -| winlog.event_data.TokenElevationType | | keyword | -| winlog.event_data.TransmittedServices | | keyword | -| winlog.event_data.Type | | keyword | -| winlog.event_data.UserSid | | keyword | -| winlog.event_data.Version | | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/windows/0.7.0/img/logo_windows.svg b/packages/windows/0.7.0/img/logo_windows.svg deleted file mode 100755 index 953b33d8f5..0000000000 --- a/packages/windows/0.7.0/img/logo_windows.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/packages/windows/0.7.0/img/metricbeat-windows-service.png b/packages/windows/0.7.0/img/metricbeat-windows-service.png deleted file mode 100755 index b9437930a9..0000000000 Binary files a/packages/windows/0.7.0/img/metricbeat-windows-service.png and /dev/null differ diff --git a/packages/windows/0.7.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index a1564e6c0d..0000000000 --- a/packages/windows/0.7.0/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "description": "Overview dashboard for powershell integration.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"fa41e799-b6b3-49ec-a11c-3f20231a4a79\",\"panelRefName\":\"panel_0\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"65ce6b63-6ce0-4094-ab23-189126fc169f\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"w\":8,\"x\":20,\"y\":0},\"panelIndex\":\"314e6f55-a05a-4ae3-ab76-bcae7f2074ab\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"w\":7,\"x\":28,\"y\":0},\"panelIndex\":\"a1f161f6-1abe-4177-9ede-4d1984f5a963\",\"panelRefName\":\"panel_3\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"w\":4,\"x\":35,\"y\":0},\"panelIndex\":\"6b7ed122-22f3-4e9d-89eb-8de92c0d2033\",\"panelRefName\":\"panel_4\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"w\":4,\"x\":39,\"y\":0},\"panelIndex\":\"d536f6a7-ad28-4a32-9319-9e0b983828bf\",\"panelRefName\":\"panel_5\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":6,\"i\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"w\":4,\"x\":43,\"y\":0},\"panelIndex\":\"eda6d08f-b45e-448a-bf9f-afa5516d4b4b\",\"panelRefName\":\"panel_6\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"w\":10,\"x\":13,\"y\":6},\"panelIndex\":\"56d2dd76-6fec-422b-96e9-22791b0c5f0c\",\"panelRefName\":\"panel_7\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"w\":12,\"x\":23,\"y\":6},\"panelIndex\":\"3e4a9683-fd6a-4ad7-b05f-c71bcb4d92d5\",\"panelRefName\":\"panel_8\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"w\":12,\"x\":35,\"y\":6},\"panelIndex\":\"a8c00572-667b-4e39-8b0c-10be56fbadd5\",\"panelRefName\":\"panel_9\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"w\":13,\"x\":0,\"y\":8},\"panelIndex\":\"e8a57cba-14d2-4cd9-a727-f5e30165f6ba\",\"panelRefName\":\"panel_10\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"w\":12,\"x\":23,\"y\":13},\"panelIndex\":\"8ae39cfa-cb06-45eb-880e-b749c3355d61\",\"panelRefName\":\"panel_11\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"w\":12,\"x\":35,\"y\":13},\"panelIndex\":\"ef92d192-b56d-476c-b640-e226679ed178\",\"panelRefName\":\"panel_12\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"w\":13,\"x\":0,\"y\":16},\"panelIndex\":\"b15dcac5-3616-4b41-8abb-cb28398b16f4\",\"panelRefName\":\"panel_13\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"w\":10,\"x\":13,\"y\":16},\"panelIndex\":\"23af61c8-6a45-4d7d-9905-8ed265328130\",\"panelRefName\":\"panel_14\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"w\":12,\"x\":23,\"y\":20},\"panelIndex\":\"390068ed-b7fb-4ec1-87d5-e89f7cc82e04\",\"panelRefName\":\"panel_15\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":7,\"i\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"w\":12,\"x\":35,\"y\":20},\"panelIndex\":\"45724dca-fea2-4f3b-af79-cf89bb12a31b\",\"panelRefName\":\"panel_16\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"w\":47,\"x\":0,\"y\":27},\"panelIndex\":\"7f0c4a51-d972-42a5-ba0a-d3de814c7440\",\"panelRefName\":\"panel_17\",\"version\":\"7.6.0\"}]", - "timeRestore": false, - "title": "[Windows powershell] Overview", - "version": 1 - }, - "id": "windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", - "name": "panel_17", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 2dc240f99d..0000000000 --- a/packages/windows/0.7.0/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Windows Service States", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.service\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Windows] Services", - "version": 1 - }, - "id": "windows-d9eba730-c991-11e7-9835-2f31fe08873b", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 4eec362f7b..0000000000 --- a/packages/windows/0.7.0/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.code", - "powershell.engine.version", - "powershell.runspace_id", - "process.args", - "powershell.command.invocation_details", - "powershell.file.script_block_text" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Details [Windows powershell]", - "version": 1 - }, - "id": "windows-11a61760-9f27-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json deleted file mode 100755 index ce978c720f..0000000000 --- a/packages/windows/0.7.0/kibana/search/windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "windows.service.display_name", - "windows.service.state", - "windows.service.start_type", - "windows.service.uptime.ms", - "windows.service.pid", - "windows.service.exit_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"windows.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"windows.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"service\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"service\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"service\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Services [Metrics Windows]", - "version": 1 - }, - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "migrationVersion": { - "search": "7.4.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 04e954c31c..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine versions [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Engine version\",\"field\":\"powershell.engine.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Engine versions [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-1eeaaf70-9f23-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json deleted file mode 100755 index a1d8795f59..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-23a5fff0-c98e-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Hosts [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Hosts [Metrics Windows]\",\"type\":\"table\"}" - }, - "id": "windows-23a5fff0-c98e-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index c3010746e0..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Unique engine versions [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique versions\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique engine versions [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-2dbabdf0-9f29-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json deleted file mode 100755 index a67dddfc97..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-35f5ad60-c996-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Services [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Services\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Unique Services [Metrics Windows]\",\"type\":\"metric\"}" - }, - "id": "windows-35f5ad60-c996-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 89fc1c53f5..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Users [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-3e55daa0-9e8e-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 30859feacc..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Total engine started [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: 400\"},\"label\":\"\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total engine started [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-52543ef0-9e95-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 05fb357273..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-70751050-9f33-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset.windows.powershell_operational)\"}}" - }, - "title": "Top active hosts [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[],\"metrics\":[{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top active hosts [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-70751050-9f33-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index ea3f28e91a..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-78874900-9f30-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Total remote commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"process.title:\\\"ServerRemoteHost\\\" \"},\"label\":\"Remote commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total remote commands [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-78874900-9f30-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 20a555f9a3..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine and Command started[Windows powershell]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"*\":\"#EAB839\",\"Engine stopped\":\"#BF1B00\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"400\\\" \"},\"label\":\"Engine started\"},{\"input\":{\"language\":\"kuery\",\"query\":\"event.code: \\\"4105\\\" \"},\"label\":\"Command started\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":1,\"aggType\":\"filters\",\"format\":{},\"label\":\"filters\",\"params\":{}}],\"x\":{\"accessor\":0,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"label\":\"@timestamp per 30 minutes\",\"params\":{\"bounds\":{\"max\":\"2020-05-26T09:14:29.996Z\",\"min\":\"2020-05-25T09:14:29.996Z\"},\"date\":true,\"format\":\"HH:mm\",\"interval\":\"PT30M\",\"intervalESUnit\":\"m\",\"intervalESValue\":30}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"log\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Engine and Command started[Windows powershell]\",\"type\":\"line\"}" - }, - "id": "windows-7adbce50-9e96-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 7991892c14..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Total commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"powershell.command.name: * \"},\"label\":\"Commands\"}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"string\",\"params\":{}},\"type\":\"vis_dimension\"},\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total commands [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-7f3e7710-9e94-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 1c3be90530..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-830c45f0-c991-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Startup States [Metrics Windows]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Service Count\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Startup States [Metrics Windows]\",\"type\":\"pie\"}" - }, - "id": "windows-830c45f0-c991-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 41e0eb5de2..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Unique hosts [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique hosts\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique hosts [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-92a2a6b0-9f29-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index f31c109dbd..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Connected users [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"powershell.connected_user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"4\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Host count\",\"field\":\"host.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"User\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Unique count of host.name\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connected users [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-9ec52c30-9e91-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 7c4f2295c8..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"powershell.command.invocation_details.type\",\"negate\":false,\"params\":{\"query\":\"CommandInvocation\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"powershell.command.invocation_details.type\":\"CommandInvocation\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Top Invoked Commands [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.command.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.command.invocation_details.related_command: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Top Invoked Commands [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-b0c5d570-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 2e83176ae0..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Started providers [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"powershell.provider.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"powershell.provider.name: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Started providers [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-c0945210-9e8b-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 298c8a3225..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"windows.service.exit_code\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"0\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"windows.service.exit_code\",\"negate\":true,\"params\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR_SERVICE_NEVER_STARTED\"},\"query\":{\"match\":{\"windows.service.exit_code\":{\"query\":\"ERROR_SERVICE_NEVER_STARTED\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Non-zero Service Exit Codes [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Non-zero Exit Codes\",\"field\":\"windows.service.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":false},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"Non-zero Service Exit Codes [Metrics Windows]\",\"type\":\"metric\"}" - }, - "id": "windows-c36b2ba0-ca29-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "windows-b6b7ccc0-c98d-11e7-9835-2f31fe08873b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index eb31ba6e7b..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-d27dea70-9f32-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Event type [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event type [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-d27dea70-9f32-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index 5bc8c71d54..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Engine versions ran by host [Windows powershell]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version count\",\"field\":\"powershell.engine.version\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Host\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}},{\"accessor\":2,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Version count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Engine versions ran by host [Windows powershell]\",\"type\":\"table\"}" - }, - "id": "windows-e20b3940-9e9a-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 5fccc4cea5..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-e64ff750-9f28-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Unique users [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique users\",\"field\":\"related.user\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":32,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Unique users [Windows powershell]\",\"type\":\"metric\"}" - }, - "id": "windows-e64ff750-9f28-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json b/packages/windows/0.7.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json deleted file mode 100755 index 76751cae17..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-eb8277d0-c98c-11e7-9835-2f31fe08873b.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Service States [Metrics Windows]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Latest Report\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Service\",\"field\":\"windows.service.display_name\",\"order\":\"asc\",\"orderBy\":\"_term\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Host\",\"field\":\"host.name\",\"order\":\"desc\",\"orderBy\":\"_term\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"State\",\"field\":\"windows.service.state\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Startup Type\",\"field\":\"windows.service.start_type\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"4-orderAgg\",\"params\":{\"field\":\"@timestamp\"},\"schema\":{\"aggFilter\":[\"!top_hits\",\"!percentiles\",\"!median\",\"!std_dev\",\"!derivative\",\"!moving_avg\",\"!serial_diff\",\"!cumulative_sum\",\"!avg_bucket\",\"!max_bucket\",\"!min_bucket\",\"!sum_bucket\"],\"deprecate\":false,\"editor\":false,\"group\":\"none\",\"hideCustomLabel\":true,\"max\":null,\"min\":0,\"name\":\"orderAgg\",\"params\":[],\"title\":\"Order Agg\"},\"type\":\"max\"},\"orderBy\":\"custom\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Service States [Metrics Windows]\",\"type\":\"table\"}" - }, - "id": "windows-eb8277d0-c98c-11e7-9835-2f31fe08873b", - "migrationVersion": { - "visualization": "7.8.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json b/packages/windows/0.7.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json deleted file mode 100755 index 87af19a431..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Host processes [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"process.title\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"process.title: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Host processes [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-f9fa55f0-9f34-11ea-bef1-95118e62a7c1", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json b/packages/windows/0.7.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json deleted file mode 100755 index d81f48dce2..0000000000 --- a/packages/windows/0.7.0/kibana/visualization/windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:windows.powershell OR data_stream.dataset:windows.powershell_operational)\"}}" - }, - "title": "Event Levels [Windows powershell]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://192.168.1.48:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"log.level: Descending\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":false,\"labels\":{\"last_level\":false,\"show\":false,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Levels [Windows powershell]\",\"type\":\"pie\"}" - }, - "id": "windows-fbb025e0-9e7c-11ea-af6f-cfdb1ee1d6c8", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/windows/0.7.0/manifest.yml b/packages/windows/0.7.0/manifest.yml deleted file mode 100755 index 9b3480b615..0000000000 --- a/packages/windows/0.7.0/manifest.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: windows -title: Windows -version: 0.7.0 -description: Windows Integration -type: integration -categories: - - os_system - - security -icons: - - src: /img/logo_windows.svg - title: logo windows - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -release: experimental -conditions: - kibana.version: '^7.13.0' -screenshots: - - src: /img/metricbeat-windows-service.png - title: metricbeat windows service - size: 3142x1834 - type: image/png -policy_templates: - - name: windows - title: Windows logs and metrics - description: Collect logs and metrics from Windows instances - inputs: - - type: winlog - title: 'Collect events from the following Windows event log channels:' - description: 'Collecting events from Windows event log' - - type: windows/metrics - title: Collect Windows perfmon and service metrics - description: Collecting perfmon and service metrics from Windows instances - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: true - - name: password - type: password - title: Splunk REST API Password - required: true - show_user: true - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false -owner: - github: elastic/integrations